The URL can be used to link to this page

Home My WebLink AboutContract 49987 CITY SECRETARY CC CONTRACT NO._ City of Fort Worth Vulnerability Assessment and Penetration Testing Services Rules of Engagement Myers and Stauffer LC Dated: October 24,-W17 OFFICIAL RECORD I� �� ,��ti CITY SECRETARY �FOQQ Payy' FT.WORTH,TX age €; Q`0 1. INTRODUCTION This document describes the Rules of Engagement (ROE) under which Myers and Stauffer LC (MSLC) performs certain Information Technology assessment procedures. Rules of Engagement establish guidelines to assist implementation of network and application vulnerability assessment, penetration testing, and social engineering testing. From this point forward, unless otherwise specified, the terms "test" and "testing" refer to both network vulnerability assessment and penetration testing. This Rules of Engagement is to be signed by an authorized representative of the City of Fort Worth (City) (referred to throughout this document as CLIENT or target organization) and MSLC. These Rules of Engagement apply to the: • Internet (External) Vulnerability Assessment • Network (Internal) Vulnerability Assessment • Network Penetration Testing, Analysis and Exploitation (External) • Application Penetration Testing, Analysis and Exploitation (External) These Rules of Engagement and/or referenced documents should include: • Specific IP addresses/ranges to be tested • Any restricted hosts (i.e., hosts, systems, subnets, not to be tested) • URL(s) for web applications in-scope for testing • A list of acceptable testing techniques (e.g. social engineering, DoS, etc.) and tools (password crackers, network sniffers, etc.) • Times when testing is to be conducted (e.g., during business hours, after business hours, etc.) • Identification of a finite period for testing • IP addresses of the machines from which penetration testing will be conducted so that administrators can differentiate the legitimate penetration testing attacks from actual malicious attacks • Points of contact for the penetration testing team, the targeted systems, and the networks • Measures to prevent law enforcement being called with false alarms (created by the testing) • Handling of information collected by the penetration test team. The following documents are incorporated by reference and, when used in conjunction with these Rules of Engagement, include the above ROE recommendations: • Contract/Scope of Work/Engagement Letter, etc. documentation • "Authorization to Perform Internet/Network/Application Information Security Assurance Procedures," to be signed by CLIENT and MSLC These ROE and referenced documents: • Describe the test objective(s), scope(s) and approach(es) we use • Prescribe when, where, how, against what assets and whom we conduct security testing Page 2 of 10 • Designate both administrative and operational Points of Contact (POC) within the target organization and MSLC • Stipulate general and specifically permitted and prohibited behaviors • Stipulate specific procedures to be followed for various scenarios • Help ensure that our security tests achieve maximum effectiveness with minimal operational impact to the organization. Due to the sensitive nature of testing, specific Rules of Engagement are necessary to ensure testing is performed in a manner that minimizes operational impact while maximizing test usefulness. To ensure that testing integrity is not impaired, the parties having knowledge of the testing must restrict communication of test schedules, procedures, or other information concerning the test to individuals at the operational level prior to or during the performance of the test. 2. TEST OBJECTIVE The overall testing objective is to assess/determine the effectiveness of CLIENT's security program in preventing or detecting unauthorized external and internal access to logical and physical assets, including evaluating whether the target organization's computer information systems are properly configured and protected to prevent an intruder from gaining access through potentially vulnerable Internet access points. In the case of Social Engineering, the overall testing objective is to evaluate the target organization's level of awareness of, and response to, human-based information gathering attempts. 3. TEST SCOPE MSLC testing procedures are designed to assess the devices in the Test Target List identified in the "Authorization to Perform Internet/Network/Application Information Security Assurance Procedures," in order to determine the vulnerability to known exploits which may result in a reduction of data integrity, availability or confidentiality. MSLC test procedures use non-destructive techniques. Furthermore, this assessment is not intended to disable users, deny service, or otherwise render a device or IP addresses inaccessible. Testing will occur during the dates and times specified in the "Authorization to Perform Internet/Network/Application Information Security Assurance Procedures." Not all logical and physical assets under CLIENT control will be tested. Items approved for testing are described in paragraph 8 and items excluded from testing are described in paragraph 9. Testing will be of CLIENT supporting network infrastructure, web facing CLIENT applications, CLIENT managed wireless network, CLIENT facilities, and CLIENT employees. Testing to be performed will include: • Internet (External) Vulnerability Assessment • Network (Internal) Vulnerability Assessment Page 3 of 10 • Network Penetration Testing, Analysis and Exploitation (External) • Application Penetration Testing, Analysis and Exploitation (External) 4. GENERAL APPROACH Our logical tests may be conducted covertly and/or overtly using one or more of the following approaches: • Security testing is conducted without the knowledge of the organization's IT staff but with full knowledge and permission of upper management. During covert testing, we will attempt to avoid detection by the CLIENT IT staff and obscure our testing activities. • Security testing is conducted with the knowledge and consent of the organization's IT staff. We will announce testing windows but not specific dates and times for testing and report testing progress to the designated CLIENT Point(s) of Contact (POC). During our overt testing activity, we will monitor CLIENT's response to our testing. • Security testing is conducted with the knowledge and consent of the organization's IT staff. We will announce testing windows including specific dates and times for testing and report testing progress to the designated CLIENT Point(s) of Contact (POC). During our overt testing activity, we will monitor CLIENT's response to our testing. Logical testing will be performed using a combination of testing techniques: • As an "outsider" with no information about the client's computer systems, • With "some" knowledge of the client's computer system(s) in a role functionally equivalent to the knowledge of an average user, and/or • With "complete" knowledge of the client's computer system(s) in a role functionally equivalent to an individual with administrative access. We use a four-step approach: • Discovery (Information Gathering) • Vulnerability analysis • Exploitation • Reporting Results of vulnerability scans will be taken at face value and will not be discounted for potential mitigating factors such as possibility of detection unless those factors were evaluated as part of the test. 5. TESTING TIMETABLE Specific dates and times (windows) for testing are defined in the "Authorization to Perform Internet/Network/Application Information Security Assurance Procedures." Physical penetration testing will be done throughout the engagement, as applicable. Page 4 of 10 6. TESTING LOCATIONS External testing will be executed from our offices in Austin, TX, and/or from an agreed upon location logically outside the organization. IP addresses and information on hosts used for external testing are located in the "Authorization to Perform Internet/Network/Application Information Security Assurance Procedures." Internal testing will be executed from a location provided by CLIENT. IP addresses and information on hosts used for internal testing are located in "Authorization to Perform Internet/Network/Application Information Security Assurance Procedures." 7. TOOLS AND METHODS All tools used for information gathering, vulnerability assessment and penetration testing are generally accepted within the security community, have been used previously by MSLC, and vulnerability assessment/penetration testing team (VAPT) personnel have been trained in their use. No untested software tools or techniques will be employed. • Electronic public domain information gathering is conducted using Internet search engines, which may include, but not be limited to WebFerret and NewsRover. • Logical network vulnerability assessments are conducted using Tenable Nessus and other assessment tools as applicable. • Logical network and application penetration tests are conducted using a variety of penetration testing tools and other scripts as required based on the client/target organization IT environment and the potential vulnerabilities identified during discovery procedures. • Physical penetration methods may include impersonation and persuasion using the telephone, email, postal mail and personal visits to the organization. Attempts to gain unaccompanied physical access to restricted areas of the organization may include posing as utility workers, vendors, employees from another department, or technical and delivery personnel. We may attempt to recover discarded information by searching through bags of garbage discarded in public waste receptacles. 8. ITEMS TO BE TESTED Logical - For a list of Internet/Network (External/Internal) IP addresses and/or URLs to be tested, please see "Authorization to Perform Internet/Network/Application Information Security Assurance Procedures." 9. ITEMS NOT TO BE TESTED Logical - See "Authorization to Perform Internet/Network/Application Information Security Assurance Procedures." Page 5 of 10 10. DESIGNATED POINTS OF CONTACT The target organization designates one or more points of contact to be notified immediately in the event a significant system vulnerability is identified during testing or if MSLC personnel are detained by in-house security forces or local law enforcement personnel. For significant system vulnerabilities discovered, the designated official(s) shall have the knowledge and authority to concede that a system vulnerability exists and the authority to direct MSLC to suspend that portion of the testing, if necessary. Specifically, the official(s) shall be knowledgeable in the following areas: • System Security— Representative(s) shall have extensive networking knowledge as well as an understanding of basic system security. Strong operational skills in general operating system disciplines are required, particularly on all the identified computing environment platform(s). The individuals must have comprehensive knowledge of the target organization's application software and its uses. • Network Security— Representative(s) shall have strong skills in general network infrastructure and administration. The individual(s) must have a working knowledge of the operating systems used on the network with awareness of the application software and its uses. • Administrative Security— Representative(s) shall have a basic understanding of both system and network security, along with the ability to understand and administer physical security and organizational policies and procedures. City of Fort Worth: • Administrative Point(s) of Contact for coordination of MSLC inquiries and requirements o William Birchett, Sr. Manager IT Security, William.Birchette@fortworthtexas.gov, (817) 392-8105 • Operational Point(s) of Contact for logical testing o Kevin Woods, IT Information Security Analyst, Kevin.L.Woods@fortworthtexas.gov, (817) 392-6671 • Operational Point(s) of Contact for physical penetration testing o Kevin Woods, IT Information Security Analyst, Kevin.L.Woods@fortworthtexas.gov, (817) 392-6671 MSLC: • Administrative Point(s) of Contact for coordination of client inquiries and issues o Ron Franke, Principal, (512) 340-7412, rfranke@mslc.com • Operational Point(s) of Contact for logical testing, network and application vulnerability assessments and penetration testing o Kim Bradley, Manager, Test Team Lead, (512) 340-7407, kbradley@mslc.com • Operational Point(s) of Contact for physical penetration testing o Kim Bradley, Manager, Test Team Lead, (512) 340-7407, kbradley@mslc.com Page 6 of 10 11. TERMS OF TESTING AND GENERAL RULES Myers and Stauffer LC WILL observe the following rules of engagement to minimize the impact on client/target organization resources: • Provide identification information for all machines used during vulnerability assessment and penetration testing to the designated POC. • Coordinate internal and external testing schedules with the client/target organization POC and accomplish all test procedures within the agreed upon timelines and test windows. • Notify ONLY the designated POC(s) at the target organization prior to commencement of testing. Prior to active testing, MSLC will notify the POC(s) identified in the contact list via email that testing is about to begin, and from which IP addresses the testing will originate. • Inform target organization immediately upon verification of significant network or web facing application weakness or vulnerability. • Accomplish all active and exploitation testing during the client/target organization defined test window(s) with prior notification to the client's/target organization's communication distribution list, as defined in the contact list section. • Employ no untested software tools or techniques. • Use utmost discretion when performing test procedures that may potentially lock system accounts, such as password guessing, or produce results that may cause adverse effects, such as testing web-based printer interfaces and web-based email services. With respect to these test steps, a phased approach will be utilized in which high level tests will be conducted first, then more granular testing will be conducted as necessary. • Employ no network based Denial of Service (DoS). This includes, but is not limited to, any type of SYN flood or packet flood. • System-level and software files may be viewed to demonstrate vulnerabilities, but not altered, deleted or executed. • User files and any other data contained in Client's information system that are part of an agency system of records on individuals to which MSLC obtains access will be kept confidential in a manner consistent with the Privacy Act (5 U.S.C. §552a) and other applicable regulatory requirements. • All information about the test(s), such as the information system vulnerabilities and potential security compromises, will be kept completely confidential by MSLC and released only to approved client/target organization Point(s) of Contact. • Utmost care will be exercised not to disable user IDs. For any user ID found to be inadvertently disabled, MSLC will notify client/target organization and the appropriate representatives to ensure the prompt restoration of access. Myers and Stauffer LC MAY: • Scan all files and directories for file names and attributes. • Open all system and software files. • Add to or modify password files and user lists only where required to validate a detected vulnerability or for further exploitation to validate the degree of potential exploitation. Myers and Stauffer LC WILL NOT: • Redirect traffic within or outside of the CLIENT network. Page 7 of 10 • Configure a system to allow future/return access. • Intentionally conduct a denial of service attack against the organization's systems unless specifically authorized by written agreement with CLIENT. • Intentionally disable user accounts. • Disclose in advance to anyone other than the designated and authorized POC, the specific dates and times of testing. CLIENT WILL: • Provide information as necessary and requested by MSLC to complete their tests. 12. METHODOLOGY AND SUSPENSION OF TESTING As mentioned above, vulnerability assessment and penetration testing may be performed as an "outsider" with no information about the client's computer system(s), may be performed with some knowledge of the client's computer system(s) in a role functionally equivalent to the knowledge of an average user, or may be performed with complete knowledge of the client's computer system(s) in a role functionally equivalent to an individual with administrative access. Social Engineering testing is also performed as specified in the terms of this ROE. Testing is performed by following the MSLC vulnerability assessment and penetration testing methodology. Testing is conducted from either the client's site or MSLC facilities. Testing may include the following, but is not limited to: • Electronic mapping - external • Electronic mapping - internal • Remotely or locally logging into the client's system(s) and gaining the ability to view, copy or modify data • Remotely or locally obtaining the ability to copy, modify or delete system configuration files • Remotely or locally obtaining the ability to view, modify or obtain password files • Remotely or locally obtaining the ability to redirect traffic • Identifying the ability to deny service to the target organization's computer system(s) • Social Engineering—by telephone, mail, email or other electronic means • Remotely or locally adopting the identity of an employee or posing as an authorized user, member or other individual to gain physical access to sensitive data • Breaking into employee work areas and/or workstations • Reading corporate or private email • Pretending to be a technical supplier • Remotely or locally obtaining information discarded by the client to gain information about the client (on and offsite, inside and outside "dumpster diving") • Targeting of sensitive corporate resources • Personnel extortion, blackmail and coercion • Investigation of backgrounds of staff personnel • Penetration of business partners • Installation of software and/or hardware key loggers to obtain sensitive corporate information Page 8 of 10 • Obtaining sensitive corporate, customer or member information via telephone or email • Phishing of employees for sensitive corporate information • Pharming of employees for sensitive corporate information • Evidence to support discovered weaknesses may consist of screenshots, session logs, exploit output/results, digital photographs, or equivalent. Suspension of Testing If MSLC is not able to gain access to the client's system(s) after an agreed upon amount of time and/or level of effort, testing will cease. Additionally, testing ceases if MSLC, in conjunction with client/target organization representatives, determine that any of the following conditions exist: • Unexpected occurrences are encountered that prohibit further testing • Client/target organization reports that testing procedures materially affect computer operations in a negative manner. Once a determination is made to suspend testing, the appropriate interested parties are informed. The justification for the suspension shall be well documented. 13. INCIDENT DETECTION AND RESPONSE • Target organization(s) will follow normal network monitoring/intrusion detection processes and respond to any detected activity as though the activity were from an unknown, hostile source. • Target organization(s) will retain all logs and communications pertaining to detection activities and provide copies to MSLC for inclusion in the engagement documentation. • MSLC will acknowledge verified detected activities. • Detected activities will not be reported to law enforcement or to any agency outside of CLIENT and/or target organization. 14. OTHER MATTERS Contractor acknowledges that in accordance with Chapter 2270 of the Texas Government Code, the City is prohibited from entering into a contract with a company for goods or services unless the contract contains a written verification from the company that it: (1) does not boycott Israel; and (2) will not boycott Israel during the term of the contract. The terms "boycott Israel" and "company" shall have the meanings ascribed to those terms in Section 808.001 of the Texas Government Code. By signing this contract, Contractor certifies that Contractor's signature provides written verification to the City that Contractor. (1) does not boycott Israel;and(2) will not boycott Israel during the term of the contract. Page 9 of 10 15. APPROVALS These Rules of Engagement correctly set forth the understanding between City of Fort Worth and Myers and Stauffer. City of Fort Worth: Printed Name Susan Alanis Assistant Citi vAnapx Title Signature Date MSLC: Printed Name Ronald E. Franke Title Principal Signature Date �01,2X,11W1,7 • ��pRT �0 Attft-Wd :s Mare :_. K6W,Pity "PROVED AS TO FORM AND LEGALITY. ATT RN NO M&C REQUIRED � 0FFICiAL :�JC CITY Page 10 of 10 F'T.N`�OR`�-X19 TX MYERS AND STAUFFER LC Authorization to Perform Internet/Network/Application Information security Assurance' Procedures! ! SECTION I -TEST ORIGIN INFORMATION(EXTERNAL SCAN) A. GEOGRAPHICAL DATA-EXTERNAL SCAN STREET ADDRESS CITY STATE ZIP 11044 RESEARCH BLVD AUSTIN TX 78759 B.INTERNET PROTOCOL DATA-EXTERNAL SCAN NUMBER OF ORIGIN IP ADDRESSES TO BE USED-EXTERNAL SCAN IP ADDRESS(EXTERNAL SCAN) ONE TBD NUMBER OF ORIGIN IP ADDRESSES TO BE USED-PEN TESTING IP ADDRESS(PEN TESTING) ONE TBD SECTION 11 -TEST ORIGIN INFORMATION(INTERNAL SCAN) A. GEOGRAPHICAL DATA-INTERNAL SCAN STREET ADDRESS CITY STATE ZIP 275 W 13TH STREET FORT WORTH TEXAS 76102 B.INTERNET PROTOCOL DATA-INTERNAL SCAN NUMBER OF ORIGIN IP ADDRESSES TO BE USED-INTERNAL SCAN IP ADDRESS(INTERNAL SCAN) ONE TBD C.MSLC TEST DEVICE DATA MFGR MODEL SERIAL No. HOST NAME ETHERNET MAC ETHERNET IP INSTALLED OS A DELL TBD TBD TBD TBD TO BE COMMUNICATED WINDOWSIUBUNTU PRIOR TO TESTING SECTION III-A.VULNERABILITY SCAN AND/OR PENETRATION TESTING-TEST TARGETS IP TESTING RANGE(INCLUSIVE) EXCLUDED IP ADDRESSES DESCRIPTION/NOTES #ACTWE IPS A TBD 6000 B C D E F G H I J K SECTION III-B.APPLICATION VULNERABILITY SCAN AND/OR PENETRATION TESTING-TEST TARGETS IS URL FOR TESTING APPLICATION PRODUCTION, APPLICATION URL WINDOW NAMEIDESCRIPTIONINOTES DEVELOPMENT OR TESTEXCLUSIONS ENVIRONMENT? A https://h2online.fortworthtexas.gov/Click2GovO(/Index.htmi H2Online Production B C D E F Page 1 of 2 pages SECTION IV-VULNERABILITY SCAN AND/OR PENETRATION TESTING WINDOW INFORMATION PERMITTED TEST WINDOWS DATES ON WHICH TESTING IS PERMITTED(INTERNAL SCANS-ONSITE): TIMES BETWEEN WHICH TESTING IS PERMITTED(INTERNAL SCANS): OCTOBER 24,2017-FEBRUARY 28,2018 ANY—TO BE COORDINATED DATES ON WHICH TESTING IS PERMITTED(EXTERNAL SCANS): TIMES BETWEEN WHICH TESTING IS PERMITTED(EXTERNAL SCANS): OCTOBER 24,2017-FEBRUARY 28,2018 ANY—TO BE COORDINATED DATES ON WHICH TESTING IS PERMITTED(PEN TESTING): TIMES BETWEEN WHICH TESTING IS PERMITTED(PEN TESTING): OCTOBER 24,2017-FEBRUARY 28,2018 ANY—TO BE COORDINATED ADDITIONAL INFORMATION PERTAINING TO VULNERABILITY SCANIPEN TESTING WINDOWS: SECTION V-TEST ORIGIN POC INFORMATION A NAME DAYTIME PHONE CELL PHONE _ EMAIL 1 EMAIL 2 KIM BRADLEY 512-340-7407 512-750-3970 KBRADLEY MSLC.COM B NAME DAYTIME PHONE. CELL PHONE: EMAIL 1 . EMAIL 2: SECTION V)-TARGET NETWORK POG INFORMATION ' A NAME DAYTIME PHONE: CELL PHONE: EMAIL 1: EMAIL 2: WILLIAM BIRCHETT 817-392-8105 817-217-6982 WILLIAM.BIRCHETTFORTWORTHTEXAS.GOV B NAME DAYTIME PHONE: CELL PHONE: EMAIL 1: EMAIL 2: KEVIN WOODS 817.392-6671 KEVIN.L.WOODS@FORTWORTHTEXAS.GOV SECTION VII-AGREEMENT 1 This agreement is between CITY OF FORT WORTH(client)and MYERS AND STAUFFER LC. 2. CLIENT authorizes MYERS AND STAUFFER LC to conduct vulnerability scanning on the IP addresses and URLs listed above.YES or NO 3. CLIENT authorizes MYERS AND STAUFFER LC to attempt to penetrate the security of these systems to perform a security audit.YES or NO 4. CLIENT authorizes MYERS AND STAUFFER LC to access the clients DNS servers)and any other client machines needed to perform the security audit. Detailed penetration attempts will only be made on the machines listed above,as authorized. 5. CLIENT acknowledges that MYERS AND STAUFFER LC will use both manual and automated tools to attempt to penetrate the security of the system. CLIENT agrees to hold MYERS AND STAUFFER LC and any of its sub-contractors and suppliers harmless for any problems that may occur as a direct or indirect result of the security audit.This hold- harmless clause also includes,but is not limited to,any lost time or down time to Clients business. 6. MYERS AND STAUFFER LC warrants that the security audit will be conducted in a professional manner and that all information will be kept confidential. 7. The results of tests performed,and any projections into the future,are subject to the risk that vulnerabilities may not be discovered due to changes in operating environments or the discovery and creation of new vulnerabilities. The potential effectiveness of the tests performed is subject to inherent limitations. Accordingly,some vulnerabilities may not be detected. Furthermore,the projections of any conclusions based on our findings to future periods are subject to the risk that changes may alter the validity of such conclusions. 8. CLIENT authorizes MYERS AND STAUFFER LC to determine if wireless networks/access points are being used and if used are secure at the CLIENT.YES or NO AND MYERS AND STAUFFER LC may scan for wireless access points and wireless traffic using Kismet and/or other open source products.MYERS AND STAUFFER LC may also determine if remote access is allowed,and if allowed is secure. 9. Duration:This agreement applies for dates noted per the scan testing windows noted. MSLC Signature -------- Typed or Printed Name Ronald E. Franke Address 11044 Research Blvd Suite C-500 Ci /State/Zip Austin TX 78759 Title Principal Date 10/24/2017 SicinatoryTele hone Number 512-340-7412 Signatory Email Address rfranke@mslc.com City of Fort Worth Signature - T ed or Printed Name -� Address _ 1 Ci /State Zip Susan AllmiS Title —ASsis A Date r) Signatory Telephone Number Signatory Email Address AtwsW by. 7 pIr, City S Page 2 of 2 pages Myers and Stauffer Rules of Engagement Page 11 Contract Compliance Manager: By signing I acknowledge that I am the person responsible for the monitoring and administration of this contract, including ensuring all performance and reporting requirements. --C, &'ll'i"t fa(z� 17 Steve Strei ert Assistant Director,IT Solutions Department CITYe;:' siY FT.,'OR H1 T.