CNI SECURITY PENETRATION TESTING AND AUDIT

Allow CNI to assist you in Securing your Network.

PURPOSE
This document is CNI’s response to Customer X’s (referred to as “Customer” in the rest of this document) request for proposal to complete an Internet based Security Audit of their Internet perimeter.

DELIVERABLES
CNI will provide:

1. An Internet perimeter penetration test which will include the discovery of all host based systems accessible via the Internet on the outside of the Customer Internet Firewalls, the discovery of any vulnerabilities, our attempt to compromise those systems using any discovered vulnerabilities in an attempt to gain root or administrative access to the system. CNI will also attempt to compromise or overcome any router, switch, VPN, firewall or proxy based security devices discovered in the perimeter scan.

2. A detailed report of all findings including recommendations to eliminate the vulnerabilities found and/or exploited.

PROJECT COSTS AND TIMEFRAME

Costs for this Internet Security Audit to be determined. The final report will be available within 10 business days from the completion of testing.

METHODOLOGY

Penetration testing can be broken down into one of two categories, Internal and External. Internal signifies the inside of a corporate intranet; external refers to the perimeter of a network, which is usually the public domain area of the Internet. The testing in this proposal will be External only

External penetration testing will be carried out from the Internet. Penetration testing is used to demonstrate how a potential intruder or unauthorized employee could gain unauthorized access. Once vulnerabilities are found on a network, the analyst performing the test will try to exploit these vulnerabilities. Thus, the purpose of a penetration exercise is to determine and organize the technical vulnerabilities found on a target organization’s network and to try and exploit them.

It is important to make a distinction between penetration testing and network security assessments. As mentioned above, penetration testing includes an attempt to exploit discovered vulnerabilities, whereas network security assessments using commercially available tools may be useful to a degree, but do not always reflect the extent to which hackers will go to exploit vulnerability.

The issue of what type of business impact and exposure the vulnerabilities found will have on the organization is not covered by an external penetration test. These results address the technical issues impacted and remedial actions required to correct these exposures.

There are a number of reasons why organizations would want to carry out penetration testing. First, a large organization may want to take stock of how many vulnerable systems are present in their organization thereby measuring trends in their network security posture. Others may want to provide assurance to their customers or business partners that their sensitive information is secure. Finally, other organizations may use the results of penetration testing to persuade management to invest in information security technology.

There are a wide variety of tools that one could use for internal/external penetration testing. These tools typically map out a network environment and the services available on the network. The services found on the network are then compared to a vulnerability database and the tool will report on vulnerabilities found.

The process described below is a guideline of the testing methodologies that will be conducted during the penetration test. It is difficult to describe a penetration exercise in a step-by-step manner because penetration testing may lead the analyst down many different paths. In addition, what is tested and how it is tested or exploited depends on the scope of the testing, the size of the organization, the type of networks and operating systems being tested, the type of services and vulnerabilities found, the type of tools at your disposal and so on.

Penetration testing can be broken down into four broad phases:

Foot printing: Activities within this phase include determining the subnets and specific hosts within the organization that will be targeted. Are you going to footprint an entire organization or are you going to limit your activities to certain hosts? The analyst will need to discuss with the System Administrator which method will be used.

Host Enumeration: Once the range of hosts have been identified it will be necessary to enumerate hosts that are live and listening on the network.

Vulnerability Scanning: This phase will determine the specific services (ports) that are available on the hosts identified in the previous phase and document all known attacks these services may be exposed to.

Penetration Testing: This phase includes running exploitation tools against selected hosts in order to identify possible vulnerabilities that may be exploitable using common Hacker methods.

Vulnerability scanning software supports multiple protocols such as UDP, TCP and ICMP. They also support a very large number of scanning techniques such as TCP connect, TCP FIN, TCP SYN and so on. Some other features include detecting remote operating systems and decoy scanning, to name but a few. The purpose of the port scan is to identify what services the target hosts are offering. Once this is established you can decide which hosts should be tested for vulnerabilities.

Penetration testing software actively probes the services (or ports) found in the vulnerability scanning phase of the Security Audit. The goal is for the software to gain Administrator or Root account access. This implies that the hacker now has complete control of the target host and can read, modify, execute or delete any data or program on that machine. This compromised host is also now a launch point for Hackers to pivot and continue their attack onto other host systems the compromised host has access to.

SCOPE OF WORK PROPOSED BY CORPORATE NETWORKING INC (CNI):

The Scope of Work is broken into three phases:

The first phase will focus on the active, vulnerability scanning of the external perimeter consisting of those systems and or networking devices provided to CNI. CNI will not modify, delete nor add software or parameters to any network device scanned or probed with port scanning or password cracking software.

The second phase will focus on the attempt to compromise systems found in the vulnerability scanning phase of this proposal. This penetration assessment include findings with detailed documentation on vulnerabilities found, how we exploited them and what resulting exposure was found on the target system(s).

The third phase will be the generation of Executive and Technical reports. These will be reviewed with the Customer and include the results of both of these phases. This final report will also provide recommendations that should be implemented to reduce the risk of an Internet Perimeter compromise.

1) Phase One -- External Perimeter Vulnerability Assessment

The Client will provide CNI with the host TCP/IP addresses and or DNS registered names for the target hosts and or network devices. The Client network perimeter will be tested for well-known vulnerabilities in the following manner.

External Perimeter Hosts (e.g. web servers)
• Identify applications and services on host devices, DHCP, TFTP, DNS, etc
• Review communication protocols that are active on the system.
• Review Industry sources for notices of known vulnerabilities on host based OS
• Document all findings and recommendations for use in the final report.

External Perimeter Network Devices (e.g. Firewalls, VPN devices, Proxies)
• Review the configuration and network diagram of all network related devices that are exposed on the perimeter of the network.
• Review access control lists within the networking devices.
• Identify unneeded services on networking devices. DHCP, TFTP, DNS, small servers and so forth.
• Provide recommendations for securing networking devices.
• Review CERT notices for known vulnerabilities of networking equipment.
• Document all findings and recommendations for use in the final report.

SCOPE OF WORK PROPOSED BY CORPORATE NETWORKING INC (CNI): (cont’d)

2) Phase Two – Penetration Testing

Upon the completion of the perimeter vulnerability scan, another software product will be used to take the discovered potential vulnerabilities discovered on your host systems, and actively attempt to gain control of those host systems.

• Attempt to gain control of the host system
• Document that we were successful or not in our attempt
• If successful, we will document a directory listing to prove our attempt was successful.
• If successful, we will pivot on that system and attempt to discover and attack other host systems on the Customer network.
• We will attempt to gain control of any system in the DMZ (if applicable) and/or the Production network. Our attempt at compromising hosts will end at this point. If we have gotten into either the DMZ or Production network, the point will have been made that the Internet Perimeter was successfully breached. CNI may be contracted to complete an Internal Security Audit by the Customer if so desired.

3) Phase 3 -- Reporting

Upon the completion of the perimeter assessment, corrective measures will be recommended to eliminate or mitigate the anomalies that have been identified. This element of the assessment can take many forms and is limited to the items that have been identified within the audit.

• Identify known vulnerabilities and associated vendor software patches.
• Recommend solutions to strengthen the perimeter of the network.
• Provide policy recommendations to eliminate known vulnerabilities.
• Provide final security audit report with all findings.
• Provide recommendations for firewall and VPN solutions.

ASSUMPTIONS

In preparing this proposal, Corporate Networking Inc has relied on information, conversations and documentation provided by the Customer. As a result of the preliminary discussions with your organization, the following significant assumptions were made:

1. The client will provide necessary documentation to CNI to complete the Vulnerability Assessment. This may include but not limited to Stated corporate security policies for Internet access, TCP/IP address, Host DNS names, Firewall configurations, and perimeter network topology maps. Also, CNI requires that a Client representative will be available via phone or Email during the Vulnerability Scanning phase of this proposal.
2. Any items outside of this scope will be documented and agreed upon by both parties for approval. The cost and/or schedule impact of the change requested shall be documented in an amended document.
3. The Customer will grant permission, in writing, to Corporate Networking Inc. for the explicit purpose of Vulnerability Scanning the Customer computing devices via the Internet
4. The Customer will notify and gain approval, from appropriate third party, for CNI to complete Perimeter Scans of any Host Portals or Web Servers not owned by or physically located in Customer facilities. The Customer will provide CNI written verification of approval for CNI to proceed with the Vulnerability Assessment Scanning tests.

Notes
The security audit will be performed by off site engineers. The final report for this Vulnerability Assessment will be available within 10 business days from the completion of the Security Audit. This Security Audit is limited to the logical security of the network and does not include physical security. There may be no onsite engineer time required to complete the scans or audits of any devices discussed in this document. If the Client requires CNI to provide on site Engineering support for any reason, the fees discussed above may be revised by CNI and resubmitted for approval.

Letter of Agreement between Corporate Networking Inc. and Customer for the Statement of Work as described above.