Professional Documents
Culture Documents
Dear Sir,
Thank you for inviting DucNguyenA (hereinafter referred as “DNA”) to submit a proposal to
provide Network & Web Application Penetration Test services to Hoang Long Hoan Vu
(hereinafter referred as “HLHV”). This proposal sets out our scope and approach to
conducting the penetration test, preferential policy, fees and an outline of the experience of
our chosen DNA team.
We have given careful consideration to your needs and believe that our approach,
methodologies, technical and business experience and the quality of our people differentiate
us as your consultant of choice. We believe our response has captured your needs and
objectives as expressed in our discussions to date, but would welcome the opportunity to
discuss any refinements required to this proposal required in order to fully meet your needs.
Should you find our proposal agreeable, we will proceed to prepare the Terms of Engagement
which, together with our Terms of Business, will form the basis of the Contract between us for
the engagement. Please do not hesitate to contact me at + 84 0902 159977 if you have any
queries or require clarification on any matter.
We thank you again for the opportunity to submit this proposal and we look forward to being
of service to HLHV.
Yours faithfully,
Duc Nguyen
Managing Director
2
CONFIDENTIAL
Table of Contents
4. Engagement Timeline 25
5. Deliverables 25
6. Fees 25
7. Our Team 26
3
CONFIDENTIAL
HLHV understands the need to secure its network and web application and business
data in the face of emerging cyber security threats. HLHV would like to engage an
independent company to conduct an qualitative risk assessment, network and web
application penetration test on its system prior to its launch as well as reporting on the
potential risks, threats, exposures, vulnerabilities identified.
We believe that DNA is ideally placed to undertake this engagement for you since we
understand the need to perform independent and effective security controls testing
and to provide practical remediation steps to increase your defenses against growing
security threats.
DNA believes that a security assessment should be above and beyond mere scanning
and translation of outputs. A security assessment assignment with DNA involves a
structured approach carried out using proven methodologies, tools and risk scenario-
based, an experienced and analytical assessment of vulnerabilities and the timely
communication of issues in a language relevant to the business, focus on business
risks & technical vulnerabilities.
We propose that the scope of work be divided into the following process:
4
CONFIDENTIAL
PROJECT INITIATION
The next few pages explain in more detail our approach and work steps for each
phase identified.
.
PRE-PHASE : PRE-ENGAGEMENT
This phase defines all the pre-engagement activities and scope definitions. The
activities will include the following:
5
CONFIDENTIAL
1. Will HLHV provide e-mail addresses of personnel that we can attempt to social
engineer?
2. Will HLHV provide phone numbers of personnel that we can attempt to social
engineer?
3. Will we be attempting to social engineer physical access, if so.
4. How many people will be targeted?
1. Can you identify your fragile systems? These would be systems that have a
tendency to crash, or run outdated and unstable applications.
6
CONFIDENTIAL
Dealing with Third Parties & Local Teams : ISP, Web Hosting Providers,
Application Team, IT Helpdesk Team.
Defines Acceptable Social Engineering Pretexts, HLHV want to test their security
posture in such a way that is aligned with current attacks. Some of these SE scenarios
may not be acceptable in a cooperate environment
Defines DoS Testing or Stress Testing. If HLHV is only worried about the
confidentiality or integrity of their data, stress testing may not be necessary; however,
if HLHV is also worried about the availability of their services, then the stress testing
should be conducted in a UAT (non-production) environment that is identical to their
production environment.
Establish Lines of Communication, define a communication framework that will
assist DNA and make HLHV feel good about the test activities
Create emergency contact list, the following information about each emergency
contact:
1. Full name
2. Title and operational responsibility
3. Authorization to discuss details of the testing activities, if not already specified
4. Two forms of 24/7 immediate contact, such as cell phone, pager, or home phone, if
possible
5. One form of secure bulk data transfer, such as SFTP or encrypted email
In meeting HLHV’s requirements, we propose two (2) modules of work to test the
security effectiveness of the network and web application. These modules are
independent of each other and supplement the controls in each area.
We will provide a report with detailed findings and recommendations arising from
Phase 1 & Phase 2. Specifically, the detailed activities for the above modules are as
follows:
7
CONFIDENTIAL
The external and web application penetration test will be conducted from our secure
penetration testing laboratory in our DNA HCM Office. The internal penetration test
will be conducted at HLHV Head Office.
The detailed activities for the Network Penetration Test based on SANS Framework
will include the following stages:
Information Gathering
The more information you are able to gather during this phase, the more vectors of
attack you may be able to use in the future. Upon commencement of the Information
Gathering, we will conduct :
Intelligence Gathering
Identification and Naming of Target
Passive Information Gathering
Semi-passive Information Gathering
Active Information Gathering
Infrastructure Assets
8
CONFIDENTIAL
This phase details the elements that are part of the threat modeling, based on the
information gathered and Qualitative Risk Assessment with Delphi Technique.
Defines a threat modeling approach as required for a correct execution of a
penetration testing.
The standard does not use a specific model, but instead requires that the model used
be consistent in terms of its representation of threats, their capabilities, their
qualifications as per the organization being tested, and the ability to repeatedly be
applied to future tests with the same results. Upon commencement of the Qualitative
Risk Assessment, we will conduct :
10
CONFIDENTIAL
Risk Evaluate :
Organization Structure
General Management
Outsourcing Security
Personnel Security
Physical Security
Equipment Security
Physical Access Control
Access Control Security
Authentication
User Identification
User Privileges Management
Password Management
Logging
Network Access Control
Data Security
Application Security
Application Development & Maintenance
Configuration Management & Control
Network & Communication Security
General Network Protection
Internet Security
Email Security
Software and Patch Management
Wireless Security
Security Incident Management
Security Incident Monitoring
Security Incident Response
Assigning Numeric Scales
Risk Treatment
11
CONFIDENTIAL
We will prepare detailed work plans based on the risk identified scenarios and
information gathered in threat modeling / qualitative risk assessment stage to reflect
HLHV’s requirements. Vulnerability scanning and testing is the process of discovering
flaws in systems and applications which can be leveraged by an attacker.
These flaws can range anywhere from host and service misconfiguration, or insecure
application design. Although the process used to look for flaws varies and is highly
dependent on the particular component being tested, some key principals are applied
to the process. Upon commencement of the vulnerability testing, we will conduct:
Vulnerability Scanning
Verification of the use of traffic, routing and encrypted protocols.
Manual verification against hosts to eliminate any “false-positives”.
Conduct host identification tests and test probing passing firewalls
Identification of applications behind service and patch levels
Identify if any default usernames and passwords are used
Vulnerabilities scanning with Nexpose and Nessus 5 for common application protocols
according to applications and operating systems.
12
CONFIDENTIAL
We will perform our Penetration Test by attempting the following type of attacks. The
list shown is not exhaustive and may include other techniques as require.
Type of Attacks
Please refer to Appendix I for the list of penetration testing tools that will be utilized.
Please note, however, that this list is not exhaustive and we may employ additional
tools as required.
13
CONFIDENTIAL
Upon completion of the Vulnerability Scanning & Testing stage, we will analyze the
scan results and once we have identified potential vulnerabilities, we will ascertain if
the vulnerability can be exploited.
Automatic Exploit
Metasploit Pro Automatic Exploit, import input data from reports of Nexpose and Nessus
5
Risk-based Scenario Exploit for 5 users
Session Hijacking with Mobile devices
Karmasploit Rogue Access Point
Rogue Applications Update
Man-in-the-middle Attack with SSL Sniffing, SSL Strip
SE Browsing-based Exploit for 5 users
IE Browser, Firefox Browser Scenario-based Attack Campaign
Local Application Scenario-based Attack Campaign
SE Fileformat Exploit for 5 users
Attack Application Fileformats of user : Adobe Acrobat (PDF), Foxit Reader (PDF),
Microsoft Word (DOC), Microsoft Excel (XLS) based on social engineering scenarios
These test methods may cause severe service interruption and degradation.
Therefore, such tests should only be performed in a monitored and controlled
environment, to minimize the business impact, or be limited to a “proof of concept”
only.
Upon completion of the exploit phase, we will testing gain further access to the
targets internal networks by Pivoting and covering our tracks as we progress from
system to system. An POST Exploit authorization form will be presented to HLHV
detailing the target systems, the nature of the exploit(s) and proposed method of
performing the post exploit.
We will seek your authorization to perform post exploit and agree to the scope of the
intrusion. We may also opt to sniff packets for other potential victims, edit their
14
CONFIDENTIAL
Utilizing these techniques will ensure that we maintain some level of access and can
potentially lead to deeper footholds into the targets trusted infrastructure. The
following describes the methods we will conducting this stage :
Pivoting
Testing External Pivoting
POST Exploit for 5 users
Privileges Escalation
Pass the Hash
Destroy Event Log (None record audit)
Enabling Remote Desktop
Interacting with Registry
Screen Capture
Record Camera, Record Microphone FUD (Full Undetectable)
Persistent Rootkit
Searching and downloading sensitive data (.doc, .xls , password.*)
History Files
Encryption Keys (SSH, PGP/GPG)
Cleanup
Remove all executable, scripts and temporary file from a compromised system
Return to original values system settings and application configuration parameters
Remove all backdoors and/or rootkits installed.
Remove any user accounts created for connecting back to compromise systems.
We will undertake a web application penetration test on the HLHV’s online system.
The objective is to gain privileged or unauthorized access to the application or to gain
access to other users’ data within the web application. This is done by supplying
varying profiles or accessing levels and focusing on application layer vulnerabilities.
The level of testing performed during web application penetration tests varies
depending on the complexity of the application. Therefore, the web application
Penetration Test that will be performed is on the assumption that only one web
application will be tested, that is the online system hosted at
15
CONFIDENTIAL
We will establish and acquire the information required to successfully define the
scope of the web application penetration test. This involves gathering of information
and completing an initial threat analysis to ensure that testing emulates the real life
threats.
Survey
We will conduct a series of meetings with individuals responsible for the application(s)
to help better understand the scope. Considerations include the complexity of the
site, number of independent security mechanisms, authentication methods, the use of
encryption, certificate management, number of pages and forms, and the number of
back-end systems being used, as well as technology platforms involved.
The initial stage is for the familiarization with the application. (i.e. the business model
and general operation). We will intercept and store network traffic and save the
HTML, JAVA, PHP, CGI, ASP, .NET or other source code for the sites we encounter.
The following describes the methods we will conducting for Web Application
Penetration Test, based on OWASP Testing Framework :
Credentials
OWASP-AT- Credentials transport over transport over
001 an encrypted channel an encrypted
channel
OWASP-AT- Testing for user User
002 enumeration enumeration
Authentication
Testing OWASP-AT- Testing for Guessable Guessable user
003 (Dictionary) User Account account
OWASP-AT- Brute Force Testing Credentials
004 Brute forcing
Intrusion
Once we obtain formal authorization for the target, we will attempt controlled
intrusion. During intrusion attempts, DNA will focus on finding the highest risk items
first, to perform the most efficient penetration. As we proceed through the list, a
detailed report of findings is created.
DNA will be in frequent communication with HLHV’s representatives during the test.
If we identify a highly critical problem in the web application, the issue will be
communicated immediately to the designated HLHV’s representative contact for
immediate attention. All identified findings will be clearly described with references to
specific parts of the application and the recommendations for remediation.
Assess Exposure
Upon the completion of the testing phases, we will proceed to produce a detailed
report that describes the work performed and the results of our tests along with the
recommendations for addressing the vulnerabilities identified.
PHASE 3: REPORTING
We will issue a final report detailing the findings and recommendations arising from
the vulnerability analysis and the implementation status of the recommendations.
The final report for the assessment of each website will include the following:
Executive Summary
The detailed tests performed
The output or results of the test
An analysis of the results
Recommended improvements and solutions, prioritized based on an
evaluation of the vulnerability and categorized as immediate, short or long-
term improvements
20
CONFIDENTIAL
21
CONFIDENTIAL
DNA will provide a report detailing the results of our Penetration Testing and our
solutions to address the vulnerabilities identified. A sample of our report with
recommendations to address vulnerabilities is shown below:
22
CONFIDENTIAL
DNA’s Responsibilities
HLHV’s Responsibilities
The completion of each stage and the development of the deliverables for this
engagement are based on the assumption that we will be carrying out work
without interruption, that permitted and relevant information are provided to us
and all relevant officers or management or employees of HLHV are accessible at
all reasonable times requested by us.
We will advise management should any circumstances arise which cause the
actual time cost to exceed the fees arise. If at any time during our work we
become aware that there would be extensions or significant variations to the
scope of work agreed upon or that the agreed fees would be exceeded by
more than 10 percent, we shall inform you immediately and obtain your consent
prior to conducting further work.
23
CONFIDENTIAL
4. ENGAGEMENT TIMELINE
Based on the scope of work and deliverables proposed, our estimated engagement
timeline is as follows:
Phase Duration
Pre-Phase ( Pre engagement ) 2 days
Phase 1 ( Network Penetration Test ) 10 days
Phase 2 ( Web Application Penetration Test ) 3 days
Phase 3 ( Reporting & clearance of report ) 6 days
Total 21 days
5. DELIVERABLES
We will provide you with a report detailing the scope of work performed and
the results of the review. The report will include remediation details to the
vulnerabilities found.
6. FEES
Based on the work and deliverables described above, our fees (excluding the
10% VAT) estimated will be as follows:
TOTAL $5952
If at any time during our work we become aware that there would be
extensions or significant variations to the scope of work agreed upon, we
shall inform you immediately and obtain your consent prior to conducting
further work.
7. OUR TEAM
Below are the roles and responsibilities and a brief resume of each
member of our proposed DNA team:
He will also be available to attend to any issues and concerns from HLHV.
25
CONFIDENTIAL
When providing Network & Web Application Penetration Test for HLHV, DNA
have preferential policy including the followings :
Items Description
26
CONFIDENTIAL
Appendices
27
CONFIDENTIAL
Security Penetration The suite of tools utilized by the project team to conduct the
Testing Tools security penetration testing work.
DNA IT Security Risk To enable IT assets risks to be properly identified and prioritized
Management according to risk ratings. This enables us to propose cost-
Methodology effective and practical countermeasures to be developed to
eliminate, reduce or mitigate the risks identified.
28
CONFIDENTIAL
The prime objectives of the methodology include; providing a risk and business based
approach to security penetration testing, test results that link to the risk management, risk
assessment processes, and achieving broad coverage of all relevant systems. These
results are balanced with detailed and focused testing of specific target systems.
29
CONFIDENTIAL
We will use various manual and automated tools to conduct the internal and external
security Penetration Testing. Sample of tools used are as follows (but not limited to):
Footprinting Tools Unix/Windows clients, e.g. Operating systems for carrying out
Linux, Slackware, FreeBSD, the network security assessments,
Sun Solaris, Windows 2000, installing scanning tools, executing
2003, 2008, XP, Vista, exploit programs and penetration
Windows 7 etc tests
Port Scanners and Nmap, Superscan and Network mapper for scanning open
Vulnerability NetscanTools ports on remote hosts
Scanning Tools
Ping, Fping, Hping2 and Advanced tools to the test the
Netcat network connectivity, map out the
network structure, test the firewall
rules, etc
30
CONFIDENTIAL
Web Assessment WebScarab, Paros Proxy, Tools used for the security
Tools HTTrack, Wapiti, N-Stealth, assessment of web based
Nikto, Wikto, Whisker, CGI application
Scanner, Absinthe and
miscellaneous thin client tools
31
CONFIDENTIAL
DNA has an IT Security Risk Assessment Methodology which enables IT assets risks to
be properly identified and prioritized according to risk ratings. This enables us to propose
cost-effective and practical countermeasures to be developed to eliminate, reduce or
mitigate the risks identified.
32
CONFIDENTIAL
The DNA Enterprise Security Architecture™ has many different building blocks that form
a solid foundation and structure. The result is a comprehensive, cohesive model for
assessing information protection efforts that takes in consideration all of the aspects of
an organization – from business processes to technologies to individual employees.
33
CONFIDENTIAL
Client Engagement
• Security Awareness
Largest PR Agency • Blackbox/ Unguided External Penetration Testing;
• Internal Penetration Testing;
• Application Penetration Testing;
• Wireless Penetration Testing;
• Network Architecture Review;
• Network Device Configuration Review (Switched & Firewalls).
34
CONFIDENTIAL
Client Engagement
35
CONFIDENTIAL
Client Engagement
36
CONFIDENTIAL
Thank You.
For further information on this proposal, please do not hesitate
to contact
duc@ducnguyena.com
+84 0902 159977
37