You are on page 1of 37

Hoang Long Hoan Vu JOC

Proposal for Network and


Web Application Penetration Test
April 2012
CONFIDENTIAL

Date: 10 April 2012


DucNguyenA IT Security Consulting JSC
R1901 - 19th Floor, Saigon Trade Center
37 Ton Duc Thang Street
District 1, Hochiminh Vietnam
Telephone : (84) (8) 3826 6986
Hoang Long Hoan Vu JOC
20th Floor, Melinh Point Tower
02 Ngo Duc Ke, District 1
Hochiminh
Vietnam

Attention: Mr. Nguyen Dinh Hoai Phuc


ICT Administrator, IT Dept.

PROPOSAL FOR Network & Application Penetration Test

Dear Sir,

Thank you for inviting DucNguyenA (hereinafter referred as “DNA”) to submit a proposal to
provide Network & Web Application Penetration Test services to Hoang Long Hoan Vu
(hereinafter referred as “HLHV”). This proposal sets out our scope and approach to
conducting the penetration test, preferential policy, fees and an outline of the experience of
our chosen DNA team.
We have given careful consideration to your needs and believe that our approach,
methodologies, technical and business experience and the quality of our people differentiate
us as your consultant of choice. We believe our response has captured your needs and
objectives as expressed in our discussions to date, but would welcome the opportunity to
discuss any refinements required to this proposal required in order to fully meet your needs.

Should you find our proposal agreeable, we will proceed to prepare the Terms of Engagement
which, together with our Terms of Business, will form the basis of the Contract between us for
the engagement. Please do not hesitate to contact me at + 84 0902 159977 if you have any
queries or require clarification on any matter.

We thank you again for the opportunity to submit this proposal and we look forward to being
of service to HLHV.

Yours faithfully,

Duc Nguyen
Managing Director

2
CONFIDENTIAL

Table of Contents

1. Our Understanding Of Your Requirements 4

2. Approach And Scope Of Work 4

3. Assumptions And Exclusions 24

4. Engagement Timeline 25

5. Deliverables 25

6. Fees 25

7. Our Team 26

8. Our Preferential Policy 27

9. Appendix I: Tools And Methodology 29

10. Appendix II: Citations 35

3
CONFIDENTIAL

1. OUR UNDERSTANDING OF YOUR REQUIREMENTS

HLHV understands the need to secure its network and web application and business
data in the face of emerging cyber security threats. HLHV would like to engage an
independent company to conduct an qualitative risk assessment, network and web
application penetration test on its system prior to its launch as well as reporting on the
potential risks, threats, exposures, vulnerabilities identified.

We believe that DNA is ideally placed to undertake this engagement for you since we
understand the need to perform independent and effective security controls testing
and to provide practical remediation steps to increase your defenses against growing
security threats.

DNA believes that a security assessment should be above and beyond mere scanning
and translation of outputs. A security assessment assignment with DNA involves a
structured approach carried out using proven methodologies, tools and risk scenario-
based, an experienced and analytical assessment of vulnerabilities and the timely
communication of issues in a language relevant to the business, focus on business
risks & technical vulnerabilities.

Our dedicated team of consultants has extensive knowledge and experience in


performing penetration tests, network security, business security and technical
security reviews, deep understand about industry standards, procedures and policies.

2. APPROACH AND SCOPE OF WORK

Based on our understanding of your requirements, we have tailored an approach that


we believe would be most effective in meeting your requirements.

We propose that the scope of work be divided into the following process:

4
CONFIDENTIAL

PROJECT INITIATION

The next few pages explain in more detail our approach and work steps for each
phase identified.
.

PRE-PHASE : PRE-ENGAGEMENT

This phase defines all the pre-engagement activities and scope definitions. The
activities will include the following:

Defines the scope of work, timeline, location, disclosure of sensitive information, ip


range, servers & desktop and web application quantity, legal issues, what we will tests.
 Defines metrics for time estimation, when we’ve done a full in-depth network and
web applications penetration test. Maybe we need to add at least 20% more to the
time value. We call this padding time.
Ask some question before providing accurately scope the Penetration Test
engagement :

"Network Penetration Test "


1. Why is HLHV having the penetration test performed against their environment?
2. Is the penetration test required for a specific compliance requirement?
3. When does HLHV want the active portions (scanning, enumeration, exploitation,

5
CONFIDENTIAL

etc...) of the penetration test conducted?


4. During business hours?
5. After business hours?
6. On the weekends?
7. How many total IP addresses are being tested?
8. How many internal IP addresses, if applicable?
9. How many external IP addresses, if applicable?
10. Are there any devices in place that may impact the results of a penetration test such
as a firewall, intrusion detection/prevention system, web application firewall, or load
balancer?
11. Is the penetration test based on specific scenarios ?
12. Are your assets classified based on their corresponding business impact?
13. Is your asset classification mapped to your patch management program?

“Web Application Penetration Test”

1. How many web applications are being assessed?


2. How many login systems are being assessed?
3. How many static pages are being assessed? (approximately)
4. How many dynamic pages are being assessed? (approximately)
5. Will the source code be readily for viewing?
6. Will there be any kind of documentation, and if yes what kind of documentation?
7. Will we be performing static analysis on this application?
8. Does the HLHV want us to perform fuzzing against this application?
9. What credentials does the application support and level of access is granted for
each type of account. For example, many applications support manager,
administrator and user-level accounts
10. if the application supports multiple levels of accounts will it be possible for the
testers to have test accounts created for authenticated testing.

“Social Engineering Penetration Test”

1. Will HLHV provide e-mail addresses of personnel that we can attempt to social
engineer?
2. Will HLHV provide phone numbers of personnel that we can attempt to social
engineer?
3. Will we be attempting to social engineer physical access, if so.
4. How many people will be targeted?

“Questions for HLHV Systems Administrators”

1. Can you identify your fragile systems? These would be systems that have a
tendency to crash, or run outdated and unstable applications.
6
CONFIDENTIAL

2. Do you have Change Management procedures in place?


3. What is the mean time to repair systems outages?
4. Do you have any systems monitoring software in place?
5. What are your most critical servers and applications?
6. Do you test backups on a regular basis?
7. When was the last time your restored from backup?

Dealing with Third Parties & Local Teams : ISP, Web Hosting Providers,
Application Team, IT Helpdesk Team.
Defines Acceptable Social Engineering Pretexts, HLHV want to test their security
posture in such a way that is aligned with current attacks. Some of these SE scenarios
may not be acceptable in a cooperate environment
Defines DoS Testing or Stress Testing. If HLHV is only worried about the
confidentiality or integrity of their data, stress testing may not be necessary; however,
if HLHV is also worried about the availability of their services, then the stress testing
should be conducted in a UAT (non-production) environment that is identical to their
production environment. 
Establish Lines of Communication, define a communication framework that will
assist DNA and make HLHV feel good about the test activities
Create emergency contact list, the following information about each emergency
contact:
1. Full name
2. Title and operational responsibility
3. Authorization to discuss details of the testing activities, if not already specified
4. Two forms of 24/7 immediate contact, such as cell phone, pager, or home phone, if
possible
5. One form of secure bulk data transfer, such as SFTP or encrypted email

In meeting HLHV’s requirements, we propose two (2) modules of work to test the
security effectiveness of the network and web application. These modules are
independent of each other and supplement the controls in each area.

The modules are as follows:

 Module 1: Network Penetration Test


 Module 2: Web Application Penetration Test

We will provide a report with detailed findings and recommendations arising from
Phase 1 & Phase 2. Specifically, the detailed activities for the above modules are as
follows:

7
CONFIDENTIAL

PHASE 1 : NETWORK PENETRATION TEST

The external and web application penetration test will be conducted from our secure
penetration testing laboratory in our DNA HCM Office. The internal penetration test
will be conducted at HLHV Head Office.

The detailed activities for the Network Penetration Test based on SANS Framework
will include the following stages:

Information Gathering

This phase is supplemented by information obtained during the pre engagement


phase to assess the threats faced by Internet-facing servers and devices. In addition,
we will seek to understand your technical environment based on risk assessment
and attack vectors. We will then model our test scenarios according to what we
believe is a testing exercise that will give you the most relevant results with practical
solutions to address your security weaknesses.

Information Gathering is performing reconnaissance (footprinting) against HLHV


network to gather as much information as possible to be utilized when penetrating the
target during the Penetration Test and exploitation phases.

The more information you are able to gather during this phase, the more vectors of
attack you may be able to use in the future. Upon commencement of the Information
Gathering, we will conduct :

Intelligence Gathering
Identification and Naming of Target
Passive Information Gathering
Semi-passive Information Gathering
Active Information Gathering
Infrastructure Assets
8
CONFIDENTIAL

Network blocks owned


Email addresses
External infrastructure profile
Remote access
Static IPs/Netblocks
Technologies used
Application usage
Defense technologies
External Footprinting
Identify Customer External Ranges
WHOIS Lookups
Active Footprinting
Port Scanning
Banner Grabbing
SNMP Sweeps
Zone Transfers
SMTP Bounce Back
DNS Discovery
Forward/Reverse DNS
DNS Bruteforce
Establish External Target List
Mapping versions
Identifying patch levels
Identify lockout threshold
Identify weak ports for attack
Outdated Systems
Virtualization platforms vs VMs
Internal Footprinting
Passive Reconnaissance
Identify Customer Internal Ranges
Active Footprinting
Port Scanning
Network Based Protections
"Simple" Packet Filters
Tunneling
Host Based Protections
Application Whitelisting
AV/Filtering/Behavioral Analysis
Application Level Protections
Identify Application Protections
Potential Bypass Avenues
User Protections
9
CONFIDENTIAL

AV/Spam Filtering Software

Subsequently, the qualitative risk assessment will then be performed.

Threat Modeling / Qualitative Risk Assessment

This phase details the elements that are part of the threat modeling, based on the
information gathered and Qualitative Risk Assessment with Delphi Technique.
Defines a threat modeling approach as required for a correct execution of a
penetration testing.

The standard does not use a specific model, but instead requires that the model used
be consistent in terms of its representation of threats, their capabilities, their
qualifications as per the organization being tested, and the ability to repeatedly be
applied to future tests with the same results. Upon commencement of the Qualitative
Risk Assessment, we will conduct :

Qualitative Risk Assessment


Establish the context
Delphi Technique Identification
Risk Analysis

10
CONFIDENTIAL

Risk Evaluate :
Organization Structure
General Management
Outsourcing Security
Personnel Security
Physical Security
Equipment Security
Physical Access Control
Access Control Security
Authentication
User Identification
User Privileges Management
Password Management
Logging
Network Access Control
Data Security
Application Security
Application Development & Maintenance
Configuration Management & Control
Network & Communication Security
General Network Protection
Internet Security
Email Security
Software and Patch Management
Wireless Security
Security Incident Management
Security Incident Monitoring
Security Incident Response
Assigning Numeric Scales
Risk Treatment

11
CONFIDENTIAL

Vulnerability Scanning & Testing

We will prepare detailed work plans based on the risk identified scenarios and
information gathered in threat modeling / qualitative risk assessment stage to reflect
HLHV’s requirements. Vulnerability scanning and testing is the process of discovering
flaws in systems and applications which can be leveraged by an attacker.

These flaws can range anywhere from host and service misconfiguration, or insecure
application design. Although the process used to look for flaws varies and is highly
dependent on the particular component being tested, some key principals are applied
to the process. Upon commencement of the vulnerability testing, we will conduct:

Vulnerability Scanning
Verification of the use of traffic, routing and encrypted protocols.
Manual verification against hosts to eliminate any “false-positives”.
Conduct host identification tests and test probing passing firewalls
Identification of applications behind service and patch levels
Identify if any default usernames and passwords are used
Vulnerabilities scanning with Nexpose and Nessus 5 for common application protocols
according to applications and operating systems.

12
CONFIDENTIAL

We will perform our Penetration Test by attempting the following type of attacks. The
list shown is not exhaustive and may include other techniques as require.

Type of Attacks

 Scan all open TCP/UDP ports for open services


 Anonymous Telnet / FTP access
 Default password guessing
 Application server vulnerabilities
 Windows OS platform patch vulnerabilities
 SMB/NetBIOS vulnerabilities
 SQL service vulnerabilities
 Remote desktop vulnerabilities
 ACL firewall testing
 IP Spoofing
 SMTP send mail relay weakness
 Weak SSL encryption
 Router access and manipulation
 Domain Name Server vulnerabilities
 SMB NULL access
 HTTP Track / Trace
 EXPN / VRFY mail server information disclosure

Please refer to Appendix I for the list of penetration testing tools that will be utilized.
Please note, however, that this list is not exhaustive and we may employ additional
tools as required.

13
CONFIDENTIAL

Automatic Exploit / Risk-based Exploit (5 users) / SE Browsing & Fileformat Exploit (5


users)

Upon completion of the Vulnerability Scanning & Testing stage, we will analyze the
scan results and once we have identified potential vulnerabilities, we will ascertain if
the vulnerability can be exploited.

An exploit authorization form will be presented to HLHV detailing the target


systems, the user awareness. the nature of the exploit(s) and proposed method of
performing the exploit. We will seek your authorization to perform the subsequent
penetration tests and agree to the scope of the intrusion.

We will attempt to exploit the system, application by utilizing various techniques,


methods and risk scenarios, exploit the user awareness by Social Engineering (SE)
technique. The following describes the methods we will conducting in this stage :

Automatic Exploit
Metasploit Pro Automatic Exploit, import input data from reports of Nexpose and Nessus
5
Risk-based Scenario Exploit for 5 users
Session Hijacking with Mobile devices
Karmasploit Rogue Access Point
Rogue Applications Update
Man-in-the-middle Attack with SSL Sniffing, SSL Strip
SE Browsing-based Exploit for 5 users
IE Browser, Firefox Browser Scenario-based Attack Campaign
Local Application Scenario-based Attack Campaign
SE Fileformat Exploit for 5 users
Attack Application Fileformats of user : Adobe Acrobat (PDF), Foxit Reader (PDF),
Microsoft Word (DOC), Microsoft Excel (XLS) based on social engineering scenarios

These test methods may cause severe service interruption and degradation.
Therefore, such tests should only be performed in a monitored and controlled
environment, to minimize the business impact, or be limited to a “proof of concept”
only.

POST Exploit / Pivoting / Intrusion

Upon completion of the exploit phase, we will testing gain further access to the
targets internal networks by Pivoting and covering our tracks as we progress from
system to system. An POST Exploit authorization form will be presented to HLHV
detailing the target systems, the nature of the exploit(s) and proposed method of
performing the post exploit.

We will seek your authorization to perform post exploit and agree to the scope of the
intrusion. We may also opt to sniff packets for other potential victims, edit their
14
CONFIDENTIAL

registries to gain further information or access, or set up a backdoor to maintain more


permanent system access.

Pivoting is the unique technique of using an instance (also referred to as a 'plant' or


'foothold') to be able to "move" around inside a network. Basically using the first
compromise to allow and even aid in the compromise of other otherwise inaccessible
systems. In this scenario we will be using it for routing traffic from a normally non-
routable network.

Utilizing these techniques will ensure that we maintain some level of access and can
potentially lead to deeper footholds into the targets trusted infrastructure. The
following describes the methods we will conducting this stage :

Pivoting
Testing External Pivoting
POST Exploit for 5 users
Privileges Escalation
Pass the Hash
Destroy Event Log (None record audit)
Enabling Remote Desktop
Interacting with Registry
Screen Capture
Record Camera, Record Microphone FUD (Full Undetectable)
Persistent Rootkit
Searching and downloading sensitive data (.doc, .xls , password.*)
History Files
Encryption Keys (SSH, PGP/GPG)
Cleanup
Remove all executable, scripts and temporary file from a compromised system
Return to original values system settings and application configuration parameters
Remove all backdoors and/or rootkits installed.
Remove any user accounts created for connecting back to compromise systems.

PHASE 2: WEB APPLICATION PENETRATION TEST

We will undertake a web application penetration test on the HLHV’s online system.
The objective is to gain privileged or unauthorized access to the application or to gain
access to other users’ data within the web application. This is done by supplying
varying profiles or accessing levels and focusing on application layer vulnerabilities.

The level of testing performed during web application penetration tests varies
depending on the complexity of the application. Therefore, the web application
Penetration Test that will be performed is on the assumption that only one web
application will be tested, that is the online system hosted at

15
CONFIDENTIAL

http://www.hlhvjoc.com.vn/ (HLHV needs to confirm the exact domain name).We will


attempt to gain unauthorized access and test the application’s functionality.

The activities of this phase include the following:

Assess / Model Threats

We will establish and acquire the information required to successfully define the
scope of the web application penetration test. This involves gathering of information
and completing an initial threat analysis to ensure that testing emulates the real life
threats.

Survey

We will conduct a series of meetings with individuals responsible for the application(s)
to help better understand the scope. Considerations include the complexity of the
site, number of independent security mechanisms, authentication methods, the use of
encryption, certificate management, number of pages and forms, and the number of
back-end systems being used, as well as technology platforms involved.

The initial stage is for the familiarization with the application. (i.e. the business model
and general operation). We will intercept and store network traffic and save the
HTML, JAVA, PHP, CGI, ASP, .NET or other source code for the sites we encounter.
The following describes the methods we will conducting for Web Application
Penetration Test, based on OWASP Testing Framework :

Category Ref. Test Name Vulnerability


Number
OWASP-IG- Spiders, Robots and N.A.
001 Crawlers
OWASP-IG- Search Engine N.A.
002 Discovery/Reconnaissance
OWASP-IG- Identify application entry N.A.
Information 003 points
Gathering OWASP-IG- Testing for Web Application N.A.
004 Fingerprint
OWASP-IG- Application Discovery N.A.
005
OWASP-IG- Analysis of Error Codes Information
006 Disclosure
OWASP-CM- SSL/TLS Testing (SSL
001 Version, Algorithms, Key SSL Weakness
length, Digital Cert.
Validity)
OWASP- DB Listener Testing DB Listener
CM-002 weak
Infrastructure
OWASP- Infrastructure Configuration Configuration
16
CONFIDENTIAL

Configuration CM-003 Management Testing management


Management weakness
Testing Application
OWASP- Application Configuration Configuration
CM-004 Management Testing management
weakness
OWASP- Testing for File Extensions File extensions
CM-005 Handling handling
OWASP- Old, backup and Old, backup and
CM-006 unreferenced files unreferenced
files
OWASP- Infrastructure and Access to
CM-007 Application Admin Admin
Interfaces interfaces
HTTP Methods
OWASP- Testing for HTTP Methods enabled, XST
CM-008 and XST permitted, HTTP
Verb
Bypassable
OWASP-BL- Testing for Business Logic business logic
Business logic 001
testing

Credentials
OWASP-AT- Credentials transport over transport over
001 an encrypted channel an encrypted
channel
OWASP-AT- Testing for user User
002 enumeration enumeration
Authentication
Testing OWASP-AT- Testing for Guessable Guessable user
003 (Dictionary) User Account account
OWASP-AT- Brute Force Testing Credentials
004 Brute forcing

OWASP-AT- Testing for bypassing Bypassing


005 authentication schema authentication
schema
OWASP-AT- Testing for vulnerable Vulnerable
006 remember password and remember
password reset password, weak
password reset
Logout function
OWASP-AT- Testing for Logout and not properly
007 Browser Cache implemented,
Management browser cache
weakness
OWASP-AT- Testing for CAPTCHA Weak Captcha
008 implementation
17
CONFIDENTIAL

OWASP-AT- Testing Multiple Factors Weak Multiple


009 Authentication Factors
Authentication
OWASP-AT- Testing for Race Race Conditions
010 Conditions Vulnerability
OWASP-AZ- Testing for Path Traversal Path Traversal
001
Authorization OWASP-AZ- Testing for bypassing Bypassing
Testing 002 authorization schema authorization
schema
OWASP-AZ- Testing for Privilege Privilege
003 Escalation Escalation
Bypassing
Session
OWASP-SM- Testing for Session Management
001 Management Schema Schema,
Weak Session
Token
OWASP-SM- Testing for Cookies Cookies are set
002 attributes - Cookies are set not ‘HTTP Only’,
not ‘HTTP Only’, ‘Secure’, ‘Secure’, and
and no time validity no time validity
Session
OWASP-SM- Testing for Session Session Fixation
Management
003 Fixation - Session Fixation
OWASP-SM- Testing for Exposed Exposed
004 Session Variables sensitive
session
variables
OWASP-SM- Testing for CSRF CSRF
005
OWASP-DV- Testing for Reflected Cross Reflected XSS
001 Site Scripting
OWASP-DV- Testing for Stored Cross Stored XSS
002 Site Scripting
OWASP-DV- Testing for DOM based DOM XSS
003 Cross Site Scripting
OWASP-DV- Testing for Cross Site Cross Site
004 Flashing Flashing
OWASP-DV- SQL Injection SQL Injection
005
OWASP-DV- LDAP Injection LDAP Injection
006
OWASP-DV- ORM Injection ORM Injection
007
OWASP-DV- XML Injection XML Injection
Data Validation 008
Testing OWASP-DV- SSI Injection SSI Injection
009
18
CONFIDENTIAL

OWASP-DV- XPath Injection XPath Injection


010
OWASP-DV- IMAP/SMTP Injection IMAP/SMTP
011 Injection
OWASP-DV- Code Injection Code Injection
012
OWASP-DV- OS Commanding OS
013 Commanding
OWASP-DV- Buffer overflow Buffer overflow
014
OWASP-DV- Incubated vulnerability Incubated
015 Vulnerability
OWASP-DV- Testing for HTTP HTTP Splitting,
016 Splitting/Smuggling Smuggling
OWASP-DS- Testing for SQL Wildcard SQL Wildcard
001 Attacks Vulnerability
Denial of Service OWASP-DS- Locking Customer Locking
Testing 002 Accounts Customer
Accounts
OWASP-DS- Testing for DoS Buffer Buffer Overflows
003 Overflows
OWASP-DS- User Specified Object User Specified
004 Allocation Object
Allocation
OWASP-DS- User Input as a Loop User Input as a
005 Counter Loop Counter
OWASP-DS- Writing User Provided Data Writing User Pro
006 to Disk vided Data to Di
sk
OWASP-DS- Failure to Release Failure to
007 Resources Release
Resources
OWASP-DS- Storing too Much Data in Storing too
008 Session - Storing too Much Much Data in
Data in Session Session
OWASP- WS Information Gathering N.A
WS-001
Web Services OWASP- Testing WSDL WSDL
Testing WS-002 Weakness
OWASP- XML Structural Testing Weak XML
WS-003 Structure
OWASP- XML content-level Testing XML content-
WS-004 level
OWASP- HTTP GET HTTP GET
WS-005 parameters/REST Testing parameters/
REST Testing
OWASP- Naughty SOAP WS Naughty
19
CONFIDENTIAL

WS-006 attachments SOAP


attachments
OWASP- Replay Testing WS Replay
WS-007 Testing

OWASP-AJ- AJAX Vulnerabilities N.A


Ajax Testing 001
OWASP-AJ- AJAX Testing AJAX weakness
002

Intrusion

Once we obtain formal authorization for the target, we will attempt controlled
intrusion. During intrusion attempts, DNA will focus on finding the highest risk items
first, to perform the most efficient penetration. As we proceed through the list, a
detailed report of findings is created.

DNA will be in frequent communication with HLHV’s representatives during the test.
If we identify a highly critical problem in the web application, the issue will be
communicated immediately to the designated HLHV’s representative contact for
immediate attention. All identified findings will be clearly described with references to
specific parts of the application and the recommendations for remediation.

Assess Exposure

Upon the completion of the testing phases, we will proceed to produce a detailed
report that describes the work performed and the results of our tests along with the
recommendations for addressing the vulnerabilities identified.

PHASE 3: REPORTING

We will issue a final report detailing the findings and recommendations arising from
the vulnerability analysis and the implementation status of the recommendations.

The final report for the assessment of each website will include the following:
 Executive Summary
 The detailed tests performed
 The output or results of the test
 An analysis of the results
 Recommended improvements and solutions, prioritized based on an
evaluation of the vulnerability and categorized as immediate, short or long-
term improvements

The following shows a sample report template that will be used:

20
CONFIDENTIAL

21
CONFIDENTIAL

DNA will provide a report detailing the results of our Penetration Testing and our
solutions to address the vulnerabilities identified. A sample of our report with
recommendations to address vulnerabilities is shown below:

22
CONFIDENTIAL

3. ASSUMPTIONS AND EXCLUSIONS

This engagement will be carried out on the following assumptions of responsibilities:

DNA’s Responsibilities

 No testing will be undertaken until written agreement is received from HLHV.


 If, during any of the phases of our work, unauthorized access is found to be
possible to any system, we will undertake further penetration only with the prior
notification of and agreement from HLHV.
 Prior to the commencement of any Penetration Testing we will provide the contact
details of our lead team members to the nominated HLHV contact. At all
stages of the Penetration Testing, the lead team members will be contactable
and in a position to discontinue the testing, should any need for this arise.
 We will not exceed the scope of work as agreed with HLHV.
 Our testing machines will be encrypted to prevent loss of confidential information
in an event of theft.
 We will digitally shred confidential data at the end of the engagement except for
documents required for archival which will be encrypted.
 Testing is only undertaken by qualified and experienced DNA personnel in our
secured penetration testing laboratory.

HLHV’s Responsibilities

 Provide details of a nominated HLHV contact to our lead team members.


 Ensure that an appropriate escalation chain exists within your organization and
communicate the risks of such testing to that group.
 Provide details of permitted testing window.
 Advise any hosting companies and obtain written consent to test the security of
such systems without liability, limitation or further permission from third parties.
 Ensure appropriate backup and recovery mechanisms are in place to minimize
the impact of any weaknesses identified, disruption of service or loss of data and
programs.

Other key assumptions are:

 The completion of each stage and the development of the deliverables for this
engagement are based on the assumption that we will be carrying out work
without interruption, that permitted and relevant information are provided to us
and all relevant officers or management or employees of HLHV are accessible at
all reasonable times requested by us.
 We will advise management should any circumstances arise which cause the
actual time cost to exceed the fees arise. If at any time during our work we
become aware that there would be extensions or significant variations to the
scope of work agreed upon or that the agreed fees would be exceeded by
more than 10 percent, we shall inform you immediately and obtain your consent
prior to conducting further work.

23
CONFIDENTIAL

4. ENGAGEMENT TIMELINE

Based on the scope of work and deliverables proposed, our estimated engagement
timeline is as follows:

Phase Duration
Pre-Phase ( Pre engagement ) 2 days
Phase 1 ( Network Penetration Test ) 10 days
Phase 2 ( Web Application Penetration Test ) 3 days
Phase 3 ( Reporting & clearance of report ) 6 days

Total 21 days

5. DELIVERABLES

We will provide you with a report detailing the scope of work performed and
the results of the review. The report will include remediation details to the
vulnerabilities found.

6. FEES

In accordance with normal professional practice, our fees are calculated on


the basis of the amount of time required for the engagement and the seniority
of the staff involved.

Based on the work and deliverables described above, our fees (excluding the
10% VAT) estimated will be as follows:

Fee Based on Module USD


Network Penetration Test $5476
Web Application Penetration Test $476

TOTAL $5952

This is our scope of test for HLHV :

 Ho Chi Minh Site


 Vung Tau Supply Base Office
 DR Site
 Off-shore Site

This is on the assumption that we will be carrying out work without


interruption, all records and documents are provided to us and all relevant
24
CONFIDENTIAL

officers or management or employees of HLHV are accessible at all


reasonable times requested by us. We will also advise management should
any circumstances arise which cause the actual time cost to exceed the fees.

If at any time during our work we become aware that there would be
extensions or significant variations to the scope of work agreed upon, we
shall inform you immediately and obtain your consent prior to conducting
further work.

7. OUR TEAM

We have assembled a DNA team with experience in penetration testing,


network security architecture review, and IT audit to complement this
engagement.

Below are the roles and responsibilities and a brief resume of each
member of our proposed DNA team:

Nguyen Phuoc Duc, a Managing Director in DNA, will be Project


Director for this engagement. He will be responsible for providing project
direction and ensuring the quality of deliverables and will be on the team
performing the network penetration test and web application penetration test
for this engagement. He has experience in a multiple penetration testing
engagements involving external and internal penetration testing, and web
application penetration testing for a range of clients from industries such as
banking, finance and accounting.

He has gained Certified Information Systems Security Professional Instructor


(CISSP), a Cisco Certified Internetwork Expert Security (CCIE Security
Written), a Certified Ethical Hacker (CEH), a Websense Web Security Expert
(WWSE), a Check Point Certified Security Expert Plus (CCSE+) and has
over 9 years of experience in the area of Information Security in the
Singapore and Vietnam.

He is currently a elite member of the Vietnam Information Security


Association in Ho Chi Minh City. He is also a Chief Security Officer (CSO) in
Awareness Group, is a Partner Agency in Public Relations Organisation
International (PROI).

Nghiem Sy Tam Phuong, a Manager in DNA, has gained Certified


Ethical Hacker (CEH), a Computer Hacking Forensic Investigator (CHFI), a
Certified Cisco Network Professional (CCNP) with over 10 years of
experience in IT security and controls. He will be responsible to monitor the
status of deliverables and project timeline, report to the Project Director on
the status of deliverables, and meet the stated objectives implemented in
accordance to the agreed work schedules.

He will also be available to attend to any issues and concerns from HLHV.
25
CONFIDENTIAL

His experience covers IT operations and systems implementation.

Nguyen Duc Hanh, an Assistant Executive in DNA, is a Certified


Ethical Hacker (CEH) and will be on the team performing the web application
penetration test for this engagement.

Hanh comes from a software development background which covered


industries such as stock-broking, telecommunication and construction. His
prior work experience included prototyping, supporting, developing, testing
and deploying enterprise applications in Java. Technologies used include
application servers like IBM Websphere Application Server, back and front –
end frameworks (Hibernate, Struts, Log4J), and web-oriented Java
technologies (JSP, J2EE). Hanh also has more than 5 year experience in IT
Support handling backend enterprise application systems which included
tasks such as installing, configuring, and maintaining mainframe systems.

Other consultants will also be involved in the project:

 Mr. Bui Huy Hai, senior tester, 5 years+ in firewall architecture


 Mr. Nguyen Minh Ha, senior tester, responsible for performing automated
web security scanning.

Although the nominated team should be available, there is always a


possibility that circumstances may arise which may cause them to be
unavailable at the time they are required to commence the project. In such
cases, the team member will be replaced by another consultant with
equivalent experience and seniority. In addition, we will provide a copy of
the proposed replacement’s curriculum vitae and agree to revise staffing with
HLHV to ensure that the right level of expertise is provided.

8. OUR PREFERENTIAL POLICY

When providing Network & Web Application Penetration Test for HLHV, DNA
have preferential policy including the followings :

Items Description

Off-site and On-site support for By DNA’s security experts.


HLHV's security incidents within 6
months

Information Security & Risk Our IS&RM Training Workshop is a two


day course available at onsite (maximum
Management Training Workshop
10 persons)

26
CONFIDENTIAL

Appendices

27
CONFIDENTIAL

Appendix I: Tools and Methodology

Methodology What is it?

DNA Security To provide project teams a consistent service delivery framework


Penetration Testing to define, design, develop and implement an appropriate Threat
Methodology and Vulnerability Management solution.
To provide a modular, yet highly integrated approach to uncover
weakness and vulnerabilities, protect an organization from
unwanted attacks, develop remediation to security risks, and
implement processes and tools to intelligently manage myriad of
security information.

Security Penetration The suite of tools utilized by the project team to conduct the
Testing Tools security penetration testing work.

DNA IT Security Risk To enable IT assets risks to be properly identified and prioritized
Management according to risk ratings. This enables us to propose cost-
Methodology effective and practical countermeasures to be developed to
eliminate, reduce or mitigate the risks identified.

DNA Enterprise To define the various interrelated aspects of information security


Security Architecture that need to be examined and implemented to ensure an
organization is efficiently and effectively secured.

28
CONFIDENTIAL

1. Security Penetration Testing Methodology

DNA’s Threat and Vulnerability Management Methodology provides an effective security


management framework that will help reduce the risk of business interruption from IT
related security events.

• To provide project teams a consistent service delivery framework to define, design,


develop and implement an appropriate Threat and Vulnerability Management solution
that responds to HLHV’s specific needs to manage IT Infrastructure security threats
and vulnerabilities;
• To provide a modular, yet highly integrated approach to uncover weakness and
vulnerabilities, protect an organisation from unwanted attacks, develop remediation
to security risks, and implement processes and tools to intelligently manage myriad
of security information; and
• To provide a holistic and strategic framework that helps Symphony mobilise their
resource to protect the critical assets using technologies.

The DNA Security Penetration Testing Methodology is the proprietary methodology


developed as an additional approach for testing the security of information systems. This
approach is based upon attempting to circumvent existing security in a manner that
provides a “real life” test of data security controls.

The prime objectives of the methodology include; providing a risk and business based
approach to security penetration testing, test results that link to the risk management, risk
assessment processes, and achieving broad coverage of all relevant systems. These
results are balanced with detailed and focused testing of specific target systems.

29
CONFIDENTIAL

This methodology is intended to be universally applicable to all situations,


regardless of the technology, scope or approach. It is a collection of wisdom and
general principles to be applied as needed to each project.

2. Security Penetration Testing Tools

We will use various manual and automated tools to conduct the internal and external
security Penetration Testing. Sample of tools used are as follows (but not limited to):

Type Name of The Tool(s) Description(s)

Footprinting Tools Unix/Windows clients, e.g. Operating systems for carrying out
Linux, Slackware, FreeBSD, the network security assessments,
Sun Solaris, Windows 2000, installing scanning tools, executing
2003, 2008, XP, Vista, exploit programs and penetration
Windows 7 etc tests

Nslookup and Dig (Unix and Tools to query DNS server to


web-based application) obtain more information about the
domain name

Web sites: DNSStuff, Tools to query DNS server for


SecuritySpace, ARIN,APNIC, more information about the
MYNIC, Netcraft, etc domain name, information about
the type and version of the web
server, information about SSL
server, etc

Dnswalk and Dnstrace Tools for checking the DNS server


configurations, e.g. zone transfer,
etc

Port Scanners and Nmap, Superscan and Network mapper for scanning open
Vulnerability NetscanTools ports on remote hosts
Scanning Tools
Ping, Fping, Hping2 and Advanced tools to the test the
Netcat network connectivity, map out the
network structure, test the firewall
rules, etc

Nessus 5, Nexpose, ISS Open source and commercial


Scanner, GFI LANGuard vulnerability scanners
Network Security Scanner,
Network Stumbler, Retina,
Yersinia

30
CONFIDENTIAL

Cisco-Exploiter, Yersimia, Scripts and tools to identify


Cisco-Torch, Cisco-Audit, vulnerabilities in Cisco devices
Cisco-scanner, Cisco-
Enabler, IOS-w3-vuln, Merge-
Router-Config, Copy-Router-
Config

Type Name of The Tool(s) Description(s)

Ike-scan, Ikeprobe, Ettercap Tool to scan IKE transactions for


VPN testing

Strobe, Queso, Raccess, Port scanning tools, I.e. checking


Xprobe and Siphon (Unix) which ports are open on remote
hosts, identify version of operating
systems, identify application
system version, etc

Web Assessment WebScarab, Paros Proxy, Tools used for the security
Tools HTTrack, Wapiti, N-Stealth, assessment of web based
Nikto, Wikto, Whisker, CGI application
Scanner, Absinthe and
miscellaneous thin client tools

Commercial Tools Metasploit Pro Use of these commercial VA/PT


tools can be requested at
additional cost.

31
CONFIDENTIAL

3. IT Security Risk Management Methodology

DNA has an IT Security Risk Assessment Methodology which enables IT assets risks to
be properly identified and prioritized according to risk ratings. This enables us to propose
cost-effective and practical countermeasures to be developed to eliminate, reduce or
mitigate the risks identified.

Our typical risk management process is as shown below:

Our approach enables us to identify:

• Which assets are at risk;


• Significant threats to those assets;
• Practical and realistic mitigation strategies in place; and
• Residual risks requiring further treatment.

32
CONFIDENTIAL

4. DNA Enterprise Security Architecture™

The DNA Enterprise Security Architecture™ is a comprehensive and proven model. It


defines the various interrelated aspects of information security that need to be examined
and implemented to ensure an organization is efficiently and effectively secured.

The DNA Enterprise Security Architecture™ was developed to help understand an


organization’s security challenges from a business perspective and to provide a
structured approach to support enterprise security initiatives.

The DNA Enterprise Security Architecture™ has many different building blocks that form
a solid foundation and structure. The result is a comprehensive, cohesive model for
assessing information protection efforts that takes in consideration all of the aspects of
an organization – from business processes to technologies to individual employees.

33
CONFIDENTIAL

Appendix II: Citations

Client Engagement

Penetration Test Services

As part of the national cyber-security requirements for critical


national information infrastructure agencies to have their
information assets secured, DNA was commissioned to perform
Government an assessment on the network infrastructure security of one of
Agency Vietnam’s government agencies and provide recommendations
on how these could be improved. The following tasks were
performed:
1) Network security architecture review
2) Network penetration testing
3) Web application Penetration Test
4) Host and network device assessment
5) Technical security policy review

External & Web Application (eBanking) Penetration Testing

DNA was engaged to perform an web application penetration test


Large Local Bank for one of our local banks. The scope covered the external-facing
Internet banking portal infrastructure, i.e. DNS servers, web
application servers, firewalls and routers.

Network Security Penetration Test Audit

DNA was engaged to perform Penetration Testing on a PR


Agency systems. The project covered the following areas:

• Security Awareness
Largest PR Agency • Blackbox/ Unguided External Penetration Testing;
• Internal Penetration Testing;
• Application Penetration Testing;
• Wireless Penetration Testing;
• Network Architecture Review;
• Network Device Configuration Review (Switched & Firewalls).

34
CONFIDENTIAL

Client Engagement

Information Security Controls Review

DNA was engaged to perform an information security controls


review the corporate ICT unit. The project covered the following
areas:

• Review of the security policies and baselines against


international standards (ISO17799:2005(E), ISO27001:2005(E)
Large Local Retailer and CoBIT);
of electronics and • Review of process and procedures to monitor compliance of
home appliances the third party service provider;
• Desktop review of internal/external connectivity protection
review and Penetration Test;
• Review the procedures within the company to monitor status of
implementation of audit recommendation; and
• Conduct an ICT security awareness training.

DNA successfully strengthened the company’s information


security by identifying the weaknesses in processes, procedures,
policies and baselines and provide value adding
recommendations to remedy the weaknesses identified.

Network Security and Application Control Review

DNA was engaged to conduct an application controls and


technical security review of their healthcare portal. The project
covered the following areas:

• External and Internal Penetration Testing;


• Web Application Penetration Test to review client’s
web site source code for known vulnerabilities
A Major Vietnam Security configuration review of the underlying
Pharmaceutical operating systems such as AS/400 and Windows 2003
Company servers;
• Data centre review and network review including both internal
and external penetration testing and;
• End-to-end business process review of the e-Procurement
system, covering input controls (interface controls/ processing,
etc.), collation of data for processing, timing of processing and
error management (determination, isolation and processing of
error records)

35
CONFIDENTIAL

Client Engagement

e-Commerce Infrastructure Security Assessment

DNA assisted the client in performing an IT security assessment


to determine the security posture of the network infrastructure and
systems supporting the web portal application providing unit trust
A Vietnam Unit transactions for its agents through the Internet. The project
Trust Company covered the areas of:
• Network security architecture review (Router and firewall
assessment);
• Security configuration review of Windows 2003 server;
• Web Application Penetration Test (WAVA); and
Internal and external penetration testing.
A report on the findings and recommendations was presented to
the client and assistance was provided to the client in the aid for
the implementation of our recommendations.

Securing Digital Information

The objective of the SDI project is to secure client’s digital


information assets throughout its life cycle, in line with the
requirements stipulated under the Information Security Policies
and Standards, which have been adapted from ISO/IEC27001.
The project comprises of 3 work streams:-

Financial Services I. Policy Gap Analysis


regulator Review of client’s current Information Security Policies and
Standards (referred to as I-Sec Policy) due to the changes in
ISO/IEC 27001;
II. Solution Evaluation
Identify, evaluate and select potential software solutions to
operationalise the Bank’s I-Sec Policies; and
III. Change Management
Develop a communications plan to promote awareness of client’s
I-Sec policies and standards and the SDI project in particular.

36
CONFIDENTIAL

Thank You.
For further information on this proposal, please do not hesitate
to contact

duc@ducnguyena.com
+84 0902 159977

37

You might also like