Schumaker & Company Audit of Philadelphia Gas Works - August 2015
PHILADELPHIA GAS WORKS Information Security Assessment … · PHILADELPHIA GAS WORKS Information...
Transcript of PHILADELPHIA GAS WORKS Information Security Assessment … · PHILADELPHIA GAS WORKS Information...
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 1 of 19
QUESTIONS ANSWERS
Q1 What is the goal of testing? A1 We engage in this type of testing to promote our own best
practices and ensure our security posture is as it should be.
Q2 No of active IP s (internal): A2 To be updated
Q3 Number of servers: A3 To be updated
Q4 Type of Operating Systems deployed on servers? A4 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer.
Q5 Number of network devices (est.): A5 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer.
Q6 Is internal penetration/vulnerability testing to be white box
(fully informed, regular User), or black box (visitor no rights,
etc.), or a combination?
A6 It will be a combination of white box and black box testing.
Q7 Number of desktops/laptops o How many images/builds?
A7 No more than 1000 desktops/laptops.
No more than 5 images.
Q8 What Operating System is deployed on the laptops that will
be assessed? A8 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer.
Q9 Is an IDS/IPS device in place on the network? If so, type and
IP? A9 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer.
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 2 of 19
Q10 Configuration Reviews or Scope Honing for Penetration Testing:
Detailed Internal Information can be helpful in honing the
scope of an internal assessment.
Are their standard images for system types? If so, how
many? Hosts/Servers?
Configuration Audit
Total Number of Servers: [x]
Windows
Number of servers: [x]
Percentage of servers to be tested: [x]
Number of workstations: [x]
Percentage of workstations to be tested: [x]
Number of domain controllers: [x]
A10 Refer to A7
Q11 For the external network, how big are the network segments
and about how many active IP addresses are there? A11 One segment
Q12 For the internal network, including servers, databases,
desktops, networking devices and the VoIP system, how
large is PGW’s network segments and about how many
active IP addresses are there?
A12 Refer to A2
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 3 of 19
Q13 How many web applications are in scope for the assessment?
For each web application, please provided the following:
a. Is it remotely accessible?
b. How many different user roles exist?
c. About how many different / unique pages
exist within the application?
A13 3 Web applications.
a. All are remotely accessible.
b. 1 to 2 user roles for each application
c. Not exceeding 30 pages for each application
Q14 For the physical security vulnerabilities, now many locations
will be included in the scope of the
assessment? Approximately how big is each location?
A14 5 locations
Q15 Approximately how many sites are including that have Wi-Fi
that would be included in the assessment? A15 One floor in one building
Q16 Is social engineering (i.e. phishing, phone calls, in person,
etc.) considered in-scope for this assessment? A16 In person only. NO Phishing and NO phone calls.
Q17 Please provide the total number of external systems that are
in scope A17 Refer to A11
Q18 Please provide the total number of internal systems that are in
scope A18 Refer to A2
Q19 Please provide the total number of physical locations A19 Refer to A14
Q20 Identify security vulnerabilities in servers, databases,
desktops and network devices utilized by PGW’s corporate
networks, which includes a VoIP system.
A20 SCADA is out of scope.
Due to security concerns, PGW will not provide the rest
of information and post it on the website at this time. It
may be provided to the successful proposer.
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 4 of 19
Q: Is the SCADA network managed and isolated from your
business IP network?
Q: What Cloud Services are engaged by PGW? ERP’s,
CRM’s SaaS, PaaS et al)
Q: What is the VOIP system used? (Broadsoft et al)
Q: Do you have Network Managed Services?
Q: What type of Security Products i.e., Tripwire, OADM,
IDS, RSA, are currently in use in the Environment?
Q: What are your OS Environments? Linux, MS Windows,
Mainframe.
Q21 Exploit these vulnerabilities to gain access to PGW’s
computing environment and get as far as possible toward
attaining Root or Domain Administrator access privileges.
Q: What is the Geographic dispersion that it’s on scope?
Intra or Inter – State.
Q: What are the security Regulatory requirements (State and
Federal for your industry – DHS) (Industry NIST, et al)
Q: PEN TEST: After the initial External and Internal PEN
tests and reports do you want the remediation to be
performed in item 8 and the re-test to only target testing of
remediated issues or do you want a full scope retest to ensure
capture of any added changes since the initial to capture and
dynamic changes that may have been made in the interim
time frame?
A21 Intra-state. All the locations are within city limits- 35
miles.
PGW is not under the direct guidance of any security
regulation legislation.
Remediation is optional. If needed, only retest the
remediated issues.
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 5 of 19
Q22 Demonstrate the attainment of elevated privileges and ability
to export potentially sensitive data.
Q: When it comes to physical security, Do you have
documented Break-Glass procedures?
Q: Is your current Identity and access management
framework documented and available?
Q: Is your current HR formal onboard and off-board
documented and available?
Q: How many end users?
Q: Do you have a self-serve Password management system?
A22 Due to security concerns, PGW will not provide that
information and post it on the website at this time. It may be
provided to the successful proposer.
Q23 Identify security vulnerabilities in PGW’s web applications.
Q: is there a documented and available Web architecture?
Q: Is Web application development Mobile outsourced?
A23 No
N/A
Q24 Identify physical security vulnerabilities by attempting access
to computing hardware and sensitive information using social
engineering techniques.
Q: What is the number of Business offices (How many
locations in scope?)
Q: Is your Data center a co-location? If so
A24 Refer to A14
Q25 Please provide an approximate number for each of the
following device types used by PGW and are considered in A25 Refer to A3, A5 and A7
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 6 of 19
scope for this project.
Physical Servers
Virtual Servers
Desk top devices
Mobile devices
Wireless access points
Number of VoIP devices
Firewalls
Routers
Switches
Q26 What types of mobile devices are used by PGW? A26 N/A
Q27 How many network user accounts do you have? A27 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer.
Q28 How many web applications are considered in scope for this
project? A28 Refer to A13
Q29 The RFP states: “Proposer would be expected to test physical
security controls at PGW’s main campus, gas plants, outlying
stations and District Offices.”
Please describe the buildings that make up the PGW
main campus?
A29 Refer to A14
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 7 of 19
How many gas plants are considered in scope of this
project?
How many outlying stations are considered in scope
of this project?
How many District Offices are considered in scope of
this project?
Q30 Does PGW want an automated tool approach or a manual
technique approach for the penetration testing? A30 A combination of both
Q31 Does PGW want an automated tool review of the web
applications? How many applications are here? A31 No. Refer to A13
Q32 How many functional pages does each application have? A32 Refer to A13
Q33 How does PGW want the physical penetration test
conducted? What locations if any are off-Limits? A33 Refer to A16.
Due to security concerns, PGW will not provide this
information and post it on the website at this time. It
may be provided to the successful proposer.
Q34 Will the CVSS base score meet PGW’s requirements for an
assessment of the level of risk for each vulnerability? Or are
you looking for comprehensive risk scoring based on the
CVSS score (vulnerability), threats, and in-place/effective
controls?
A34 No specific requirement of the type of risk scoring
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 8 of 19
Q35 How many servers, databases, desktops, network devices are
internal for testing? A35 Refer to A3, A5 and A7
Q36 How many Gas Plants to visit and test, outlying stations, and
district offices to visit and test? A36 Refer to A14
Q37 VOIP - system vendor? Is the VOIP system segmented from
the main network? A37 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer.
Q38 How does PGW evaluate current control practices? A38 N/A
Q39 Under the risk assessment section, does PGW perform a risk
assessment for each vulnerability discovered? Also what
rating system PGW has used in the past to establish the level
of risk?
A39 Refer to A34
Q40 What is PGW’s estimated budget for the project? A40 We decline to provide that information now.
Q41 What does your external gateway consist of? Please provide
details. A41 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer
Q42 Will SCADA be included or excluded in this assessment? A42 SCADA will be excluded in this assessment.
Q43 For the mobile wireless access controls do you want the focus
on cell phones also, or simply wireless? A43 Wireless only
Q44 Testing physical security controls. Do you want people to
obtain interior access beyond the initial physical entry point
(that is, into restricted computer rooms, etc.) or simply
A44 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It will be
provided to the successful proposer
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 9 of 19
attempt to access building facilities?
Q45 In the social engineering techniques item (Item 2.2, Number
5) do you want social engineering contained to the physical
access component of the assessment, or do you also want a
phishing test?
A45 Social engineering is contained to physical test only. Refer to
A16
Q46 Do you want to determine at what level your incident
detection system detects our activity? In this case this would
mean that our activities would start stealthy and become
noisier to understand at which point activities are
detected. Would blocks be initiated by PGW if detected?
A46 The vendor would be expected to provide the IP addresses they
are using for testing so that PGW can monitor the activities.
Blocks will not be initiated.
Q47 Should we assume that no internal security assessment is
desired, other than the physical and wireless tasks?
A47 Please refer to page 35 of RFP about Malicious Insider Phase.
Q48 Are there any compliance requirements driving this project? A48 Refer to A21
Q50 For the external vulnerability and penetration test – How
many active IP addresses are in scope?
A50 Refer to A11
Q51 How many data centers are there? A51 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 10 of 19
Q52 How many physical locations are there? How many
locations have wireless access points?
A52 Refer to A14
Q53 What other wireless services besides WiFi are used by
PGW? Please describe. Are they in scope?
A53 None
Q54 Are all Security Procedures and Policies centrally managed? A54 Yes
Q55 How many individuals will need to be interviewed in order to
collect relevant Policy and Procedure Information?
A55 No interview is needed.
Q56 RFP identifies ISO and NIST as a policy reference model. Is
PGW sensitive to PCI and/or NERC control requirements?
A56 No
Q57 Will you provide address ranges? A57 Yes
Q58 If not would you like a Black Hat Test sequence executed? A58 N/A
Q59 What are the Number of IP's/Servers owned / in scope? A59 Refer to A2, A3 and A7
Q60 What are the Number of IP’s/Servers managed by another
party?
A60 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer
Q61 What is the Number of separate DMZs? A61 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer
Q62 What are the Number of IP's active within the scope? A62 Refer to A2
Q63 What Number of Web Applications and description (approx A63 Refer to A13
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 11 of 19
# of pages, components)?
Q64 Is there a Mobile Device Management Solution in
place? How many PDAs? Etc are in scope?
A64 N/A
Q65 Are there any Modems in scope? A65 No
Q66 Are SCADA, Plant Controls, RTUs in scope? Please
describe the environment including number and type of
devices and locations.
A66 No
Q67 How many external WIFI environments exist? How many
Wireless Access Points are deployed?
A67 Refer to A15
Q68 What is Number of IP's owned. How many subnets? A68 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer
Q69 What is the Number of Servers, Desktops A69 Refer to A3 and A7
Q70 How many VOIP/IPT Call Manager Servers are in
place? Which vendor is used?
A70 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer
Q71 Is the Call Center IP enabled? A71 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer
Q72 Are Wireless IP phones utilized? A72 No
Q73 What are the Number of IP's active A73 Refer to A2, A3 and A7
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 12 of 19
Q74 Wireless Testing: A74
Q75 What are the # SSID's. WAPs & physical location (s) A75 Due to security concerns, PGW will not provide this
information and post it on the website at this time. It may be
provided to the successful proposer
Q76 Social Engineering: A76
Q77 What is the # of phishing targets? A77 NO phishing test is required.
Q78 How many locations will require a physical security check? A78 5 locations
Q79 Contract term is 1 year. How many optional “additional test
sequences” are anticipated after delivery of initial findings
and recommendations report?
A79 Refer to part 3 of A21
Q80 We are assuming that our questions and all questions asked
by competing vendors will be shared with all vendors or
clarity of scope for the RFP. Is this assumption correct?
A80 Yes
Q81 **2 - From the statement of requirements for the RFP,
elements of Vulnerability Assessment Services, Penetration
Test Services and Application Assessment Services are being
requested. Is this the intent of PGW, or are you asking
vendors to specifically focus on the Penetration Test
Services? Will there be an opportunity in the telephone
conference to further clarify intent?
A81 Vulnerability Assessment Services, Penetration Test
Services and Application Assessment Services are
requested. The vendor is expected to focus on all the
three services. Refer to 2.2 section of RFP (page 6).
Yes
Q82 Is there a target completion date for the services provided or A82 We expect the testing to start in 2016 as soon as the contract is
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 13 of 19
is this an item to be determined after contract is awarded?
signed. No specific end date. Based on past experience, the
actual test should be finished within weeks.
Q83 Will presentations to PGW be at PGW premises? Will there
be any time limit to presentations?
A83 Onsite presentations are not mandatory. The presentation should
not exceed an hour.
Q84 Given question 2 above, there is a potential for scope
changes within the life of the contract? Is there a change
order process at PGW that vendors will be expected to
follow, or should we provide our standard change order
process?
A84 Yes, there is a potential for scope change. We can follow
vendor’s change order process.
Q85 Depending on your response to question number **2 above,
we have the following questions by service line that will
enable us to properly answer your RFP.
External Penetration Test:
Number of Internet-facing IPs (how many total IP addresses
do you have allocated on the Internet)?
Number of Internet-facing IPs in use (how many IP addresses
have services listening on the Internet)?
Would you like the test to include social engineering
(Email/Phone)?
A85 Refer to A2, A3, A7 and A11. NO Social Engineering via
email and phone.
Q86 Internal Penetration testing?
Are all internal systems logically accessible from a single A86 Yes
N/A
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 14 of 19
location?
If not, how many locations would need to be visited?
Would you like the test to include social engineering
(physical)?
How many physical locations (buildings, campuses, etc.) will
be tested?
Yes
Refer to A14
Q87 General Questions:
What operating system platforms are in use (e.g., Windows,
Linux, Netware)?
Approximate number of servers and workstations? (please
map numbers to platforms above)
Approximate number of network devices (please map count
to device type: routers, firewalls, switches, wireless
APs/controllers, etc.)?
What vendor is your network hardware from (e.g., routers,
firewalls, switches)?
How many total locations make up the organization? How
many have server/storage infrastructure?
Are all internal systems logically accessible from a single
location? If not, how many locations would need to be
visited?
A87 Refer to A2, A3, A7, A11, A14, and A86.
Due to security concerns, PGW will not provide the rest of
information and post it on the website at this time. It may be
provided to the successful proposer.
Q88 Application Assessment Questions
How many applications in scope for the assessment?
How many User Roles are in the application(s)?
A88 Refer A13
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 15 of 19
Q89 Organizational Security
Are you interested in a social engineering exercise? (Y/N)
Do you have documented policies and procedures? (Y/N)
Are you interested in a policies, procedures and practices
assessment? (Y/N)
Are you interested in policies and procedures templates?
(Y/N)
Are you interested in a Data Loss Prevention assessment?
(Y/N)
Are you interested in a top-down, strategic risk assessment?
(Y/N)
A89 Please refer to section 2.2 in RFP for scope of this project.
Q90 Platform Specific Security Assessment Questions
Are you interested in in-depth, platform-specific security
assessments? (Y/N - If yes, please answer the questions
below)
Number of in-scope infrastructure devices (routers and
firewalls) across all locations:
Number of in-scope Microsoft servers:
Number of in-scope Active Directory domains:
Number of in-scope virtual host servers:
A90 Yes
Due to security concerns, PGW will not provide the remaining
information and post it on the website at this time. It may be
provided to the successful proposer.
Q91 For web application vulnerabilities, is the proposer expected
to identify vulnerabilities only or identify and exploit? A91 We expect testers to exploit the identified vulnerabilities.
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 16 of 19
Q92 Will the web application pen testing be performed on a
production network or test network? A92 Production
Q93 The RFP mentions “mobile wireless access controls”. Was
the intent to specify 802.11x (WiFi) type devices or
specifically tablet and smart phone access? If tablet and
smart phone access, which mobile operating systems are in
scope (e.g. iOS, Android, etc.)
A93 Wi-Fi only
Q94 When was last like assessment done/completed and by who? A94 The last assessment was done in 2015.
Q95 Does vendor need certificate of good standing from State or
City prior to award? A95 No
Q96 Are any systems or devices in scope hosted by a third party? A96 Due to security concerns, PGW will not provide the remaining
information and post it on the website at this time. It may be
provided to the successful proposer.
Q97 If IDS/IDP systems are in place, is the assessment also
intended to test the responsiveness during this
assessment? Or, will AT&T Consulting systems be
configured as exceptions in the IDS/IPS?
A97 No exceptions will be created.
Q98 Are brute-force attacks and password cracking in scope A98 Yes
Q99 Are there any timing restrictions on the testing? A99 No
Q100 Where will testing be performed? A100 In our headquarters.
Q101 For the Database Vulnerability Assessment and Penetration
assessments, how many databases need to be A101 Due to security concerns, PGW will not provide the information
and post it on the website at this time. It may be provided to the
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 17 of 19
reviewed? (each instance counts as a separate database) successful proposer.
Q102 What is the name of the database (e.g., MS SQL 2005,
Oracle 9i, etc.) A102 Due to security concerns, PGW will not provide the information
and post it on the website at this time. It may be provided to the
successful proposer.
Q103 What OS does this database run on? (e.g., Windows Server
2008, Windows XP, AIX, etc.) A103 Due to security concerns, PGW will not provide the information
and post it on the website at this time. It may be provided to the
successful proposer.
Q104 What is the business significance of this database? A104 Due to security concerns, PGW will not provide the information
and post it on the website at this time. It may be provided to the
successful proposer.
Q105 Will you be able to provide a read-only account (capable of
reading all the security information on the database) to the
vendor? This account will only be used for collecting
security configuration information and will not be used for
accessing the data contents.
A105 No
Q106 Is this area high density with other organizations, or more or
less dedicated to one organization? For example, a
deployment in a skyscraper may interact with many other
companies.
A106 No
Q107 What types of traffic are traversing the Wireless LAN? A107 Due to security concerns, PGW will not provide the information
and post it on the website at this time. It may be provided to the
successful proposer.
Q108 Who will be aware of the testing? A108 Network and Security team
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 18 of 19
Q109 For the Application Vulnerability Assessment and
Penetration Assessment, what are the applications name? A109 Due to security concerns, PGW will not provide the information
and post it on the website at this time. It may be provided to the
successful proposer.
Q110 What is the primary function of each application that will be
included in the Application Vulnerability Assessment? A110 Due to security concerns, PGW will not provide the information
and post it on the website at this time. It may be provided to the
successful proposer.
Q111 What is the type of application (web, Thick-client, etc)? A111 Web
Q112 Approximately how many pages/screens accept user input? A112 No more than 30 screens
Q113 What is the network transport utilized? (Raw TCP/SSL)? A113 Due to security concerns, PGW will not provide the information
and post it on the website at this time. It may be provided to the
successful proposer.
Q114 Considering the upcoming Holiday would PGW consider
extending the proposal due date to January 8, 2016. A114 Yes
Q115 What is the anticipated number of personnel needed?
A115 No preference
Q116 Is offshore allowed? A116 No
Q117 Will PGW be providing their own tools to scan the
environment or will the vendor be required to provide these
tools?
A117 Vendor will be required to provide tools.
Q118 Does PGW require the vendor to test the scripts in a lab
environment before testing in the live environment? If so, A118 Vendor is not required to test the scripts in a lab environment.
PHILADELPHIA GAS WORKS
Information Security Assessment and Testing Services
RFP#30198
Questions & Answers
December 4, 2015
www.pgworks.com Page 19 of 19
will the test environment be provided by PGW?
Q119 Are there multiple/redundant environment in place that need
to be tested simultaneously? A119 No
Q120 Will the tests be conducted on the PGW production or the
test or the development environment? A120 Combination of all