Request for Proposal for NBN
docx
keyboard_arrow_up
School
New York University *
*We aren’t endorsed by this school
Course
6083
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
17
Uploaded by MasterLobsterMaster534
2
Request for Proposal for NBN
Penetration Testing Services
New York University
CS-GY 6573
Penetration Testing and Vulnerability Analysis Fall 2023
November 2023, Version 1.0
Outsourced Cybersecurity Services
2
SCN, a leading cybersecurity consulting firm is pleased to offer this Penetration
Testing Proposal for NBN, in order to strengthen its security posture and mitigate potential vulnerabilities. We are dedicated to helping NBN assess and enhance its cybersecurity posture through a comprehensive penetration testing. Our extensive experience, skilled team of experts, and commitment to excellence makes us an ideal choice for this project. We hope our positive result
from this testing will highly assist NBN in understanding potential cyber risks from outside threat and will guide you in how to minimize such future risks.
1. Proposal: Rachel Alexander, Pen Test Senior Engineer, PE
Rachel.Alexander@scn.org
6 MetroTech Center, Brooklyn, NY 11201
Date: November 5
th
, 2023
Subject: Penetration Testing and Risk Management for NBN's IT Infrastructure, with a focus on the Near-Earth Broadcast Network (NBN): Proposal for Penetration Testing Services in response to the Request for Proposal (RFP).
November 2023, Version 1.0
Outsourced Cybersecurity Services
2
Table of Contents
1. Proposal 2
2. Introduction
4
2.1 SCN, A Consulting Firm
4
2.2 SCN Pen Test Overall Approach 4
2.3 Schedule of Events 7
2.4 Responsibilities 9
2.5 Cost
9
3. Scope
10
3.1
Targets 10
3.2
Additional Pen Testing 12
3.3
Rules of Engagement 12
3.4
Assumptions
13
4. Methodology
13
4.1 Testing Approach
13
4.2 Actions
14
4.3 Risk Methodology
15
5. Reference
16
5.1 Glossary of Terms
16
5.2 Tools Expected To Use
16
5.3 Additional Interview Questions for Bill Gibson/NBN 17
November 2023, Version 1.0
Outsourced Cybersecurity Services
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
2
2. Introduction:
2.1 SCN, A Consulting Firm
SCN is a reputable and globally recognized leader in the field of cybersecurity consulting and risk management. With at least 4 years of experience, we have established a strong track record in providing comprehensive security solutions to organizations across various industries. Our core mission is to assist businesses in safeguarding their digital assets and ensuring their resilience against an ever-evolving threat landscape.
SCN specializes in a wide range of cybersecurity services, including but not limited to:
Penetration Testing
Vulnerability Assessment
Risk Management
Our team comprises highly skilled and certified professionals who are experts in
their respective fields. We maintain a commitment to staying at the forefront of industry best practices, emerging threats, and cutting-edge security technologies.
SCN adheres to the highest standards of professionalism and ethical conduct. We maintain certifications and memberships with leading industry organizations, and our methodologies align with recognized security frameworks and compliance standards. Our commitment to quality assurance ensures that our clients receive the most reliable and effective services. At SCN,
we understand that each client is unique, and we approach every project with a client-centric perspective. We work closely with our clients to customize security solutions that align with their specific needs, goals, and constraints. Our
aim is to empower organizations with the knowledge and tools necessary to protect their critical assets effectively.
2.2 SCN Pen Test Overall Approach The company's comprehensive penetration testing strategy forms a structured and strategic methodology to evaluate and strengthen its cybersecurity safeguards. This approach plays a critical role in pinpointing vulnerabilities, appraising security protocols, and proactively countering potential security risks:
1. Integrate strong data privacy safeguards at every stage of the penetration testing process to protect confidential data, while concurrently upholding adherence to data protection mandates.
November 2023, Version 1.0
Outsourced Cybersecurity Services
2
2. We harness cutting-edge resources, including Metasploit, OWASP (Open Web Application Security Project), CVSS (Common Vulnerability Scoring System), NIST (National Institute of Standards and Technology), AWS (Amazon Web Services), PTES (Penetration Testing Execution Standard), and more. These tools, techniques, and methodologies are instrumental in upholding
technical superiority and delivering top-tier penetration testing services to organizations, ensuring the highest level of quality.
Our foremost goal is to identify medium to high-security vulnerabilities within NBN's IT infrastructure. Our focused efforts are directed towards scrutinizing weaknesses in the external network, with a parallel commitment to performing penetration tests on web and mobile applications. If successful access is attained, the subsequent step involves evaluating vulnerabilities within the internal network.
As stipulated in the NBN's request outlined in the RFP, consultants will not be granted any network access, system access, physical access, or intricate IT infrastructure specifics. The expectation is for consultants to execute the penetration test strictly from an external perspective, akin to an outsider—
whether it be a subscriber (subs), a Business Partner (BP), or an unaffiliated entity. Therefore, it is evident that the approach to be followed aligns with the principles of a RED TEAM evaluation, commonly referred to as black box testing.
In Black Box testing, the approach adopted closely simulates the actions of an external entity, effectively mimicking real-world tactics, techniques, and procedures. This emulation is grounded in the insights derived from intelligence
reports, enabling a comprehensive evaluation of a system's security from an outsider's perspective.
We adhere to the Cyber Kill Chain Framework, developed by Lockheed Martin,
which provides a methodical strategy for comprehending and safeguarding against sophisticated cyber threats. This framework outlines various stages that elucidate the customary phases attackers traverse when seeking to breach a target. Here is a succinct overview of the Cyber Kill Chain approach:
1. Reconnaissance:
Adversaries engage in the process of collecting data about the target, which encompasses the identification of potential weaknesses, key personnel, and system configurations.
2. Weaponization:
November 2023, Version 1.0
Outsourced Cybersecurity Services
2
Malevolent tools or malware are either crafted or procured with the purpose of capitalizing on the vulnerabilities that have been identified. In this phase, attackers fabricate weaponized materials, including phishing emails and malicious code, designed to serve their malicious objectives.
3. Delivery:
Perpetrators execute the delivery of the weaponized content to the target, frequently employing various techniques such as email attachments, drive-by downloads, or infiltrated websites.
4. Exploitation:
After the execution of the weaponized content, it proceeds to leverage vulnerabilities within the target's systems or applications. This successful exploitation grants attackers a foothold within the target's operational environment.
5
. Installation:
Adversaries solidify an enduring presence within the compromised environment
by implanting backdoors, Trojans, or other types of malware. This clandestine persistence ensures that attackers maintain control, even in the event that the initial entry point is identified and eliminated.
6. Command and Control (C2):
The attackers establish a command and control infrastructure to orchestrate and govern the compromised systems. This network of C2 servers serves as the medium for communication between the attackers and the compromised environment, enabling remote oversight and management.
7. Actions on Objectives:
This represents the ultimate aim of the attacker, encompassing objectives that may entail data exfiltration, espionage, acts of sabotage, or any other malicious activities that align with their vested interests.
Organizations employ the Cyber Kill Chain framework as a tool to comprehend and identify each phase of an attack, empowering them to adopt a proactive defense and mitigate potential threats. Recognizing and intervening in the early stages of this chain allows organizations to bolster their cybersecurity defenses and curtail the potential repercussions of cyber threats.
It is important to acknowledge that, although the framework offers a structured approach, the phases within it aren't always strictly sequential. Attackers may November 2023, Version 1.0
Outsourced Cybersecurity Services
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
2
fluidly transition back and forth between these stages as they adjust to defensive
measures and work to accomplish their objectives.
2.3 Schedule of Events
The schedule of events for a company's penetration test can vary based on the scope, complexity, and objectives of the test. Below is a general schedule that outlines the key events in the process:
1. Pre-Engagement Phase: (11/6)
Kickoff Meeting:
Discuss objectives, scope, and rules of engagement.
Contract and Legal Agreements:
Sign contracts, non-disclosure agreements, and other legal documents.
Information Gathering:
Gather information about the target environment, including IP addresses, domains, systems, and applications.
Permission and Authorization:
Obtain formal approval and authorization from the organization to proceed with the penetration test.
2. Planning Phase:
(11/6 – 11/8)
Scoping:
Define the specific goals, scope, and limitations of the penetration test.
Rules of Engagement:
Establish the rules, constraints, and any testing limitations.
Team Selection:
Assemble the penetration testing team with relevant expertise.
Risk Assessment:
Identify potential risks associated with the test and develop a risk mitigation plan.
3. Reconnaissance Phase: (11/9 – 11/14)
Passive Reconnaissance
: Collect information about the target, such as IP
addresses, domains, email addresses, and publicly available data.
Active Reconnaissance:
Scan the target network to discover live hosts, open ports, and services.
4. Vulnerability Analysis and Scanning Phase: (11/15 – 11/22)
Vulnerability Scanning:
Use automated scanning tools to identify known vulnerabilities in the target.
Analysis:
Assess the severity and potential impact of identified vulnerabilities.
November 2023, Version 1.0
Outsourced Cybersecurity Services
2
5. Exploitation Phase: (11/27 – 12/05)
Exploit Testing:
Attempt to exploit identified vulnerabilities to gain access to systems or applications.
Privilege Escalation:
If successful, attempt to escalate privileges within the compromised systems.
6. Post-Exploitation Phase: (12/06 – 12/12)
Persistence:
Establish a persistent presence within the compromised environment.
Lateral Movement:
Move laterally within the network to identify additional vulnerabilities.
7. Reporting Phase: (12/13 – 12/15)
Findings Documentation:
Document all findings, including vulnerabilities, their impact, and potential attack paths.
Risk Assessment:
Assess the risks associated with each finding.
Recommendations:
Provide detailed recommendations for mitigating vulnerabilities and improving security.
8. Debrief and Review: (12/13 – 12/15)
Presentation:
Conduct a presentation to review findings, risks, and recommendations with stakeholders.
Discussion:
Engage in discussions to clarify findings and address questions or concerns.
Approval for Remediation: Seek approval from the organization to proceed with remediation efforts.
Notes:
1.
On Thursday, November 23rd, 2023, we observe the Thanksgiving Holiday, and consequently, no work will be carried out on both 11/23 and
11/24.
2.
Please note that the mentioned dates are provisional and may require adjustments depending on NBN's availability and any unforeseen complexities encountered during the testing process. It is advisable to allocate buffer time to account for potential unexpected delays.
November 2023, Version 1.0
Outsourced Cybersecurity Services
2
3.
Effective and consistent communication is of utmost importance. We anticipate ongoing collaboration and prompt correspondence with NBN stakeholders in the event of any testing-related changes. This is crucial to ensure alignment, make course corrections as needed, and promptly address any concerns that may arise during the testing phase.
2.4 Responsibilities
NBN Team: -
It is imperative to carefully review and engage in discussions concerning the Scope of Work before commencing the testing process.
-
In the event of any operational or maintenance concerns that could potentially disrupt the testing, immediate notification is essential.
-
Several documents necessitate signing before the initiation of Penetration Testing Services.
-
Attendance at the kick-off meeting is a mandatory requirement.
SCN Team:
-
The SCN team conducts thorough verification of all equipment, encompassing both hardware and software.
-
Any challenges encountered during the test will be promptly communicated to the customer.
-
Progress reports, including mid-week and end-week summaries of findings, will be diligently provided.
-
Urgent meetings will be arranged on an as-needed basis, while for other scenarios, end-of-week reports on test development findings will be delivered.
2.5 Cost
o
The project budget is set at $50,000 for a duration of 3 weeks.
o
In the event that additional tests are required, there will be an incremental
cost of $10,000.
Break Down Of The Cost:
1.
Labor Costs:
Project Manager: $10,000
Security Analysts (Team of 4): $30,000
Administrative Support: $2,000
2. External Services:
Penetration Testing Tools and Software: $5,000
November 2023, Version 1.0
Outsourced Cybersecurity Services
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
2
Third-party Testing Platform Subscription: $1,000
3. Travel and Accommodation:
Travel expenses for on-site testing: $2,000
4. Contingency and Miscellaneous:
Contingency Reserve (10% of Total): $5,000 (for unforeseen expenses)
Total Cost: $50,000
This analysis takes into account the project team's labor expenses, outlays associated with external services and tools, potential travel and accommodation expenditures, as well as a contingency fund designated to address unanticipated or miscellaneous costs. It's important to acknowledge that this is a simplified cost breakdown, and the actual expenses may fluctuate contingent upon the distinct project needs and prevailing circumstances.
3. Scope:
As derived from the RFP, it's evident that NBN manages publicly accessible web applications ("Apps") utilized by their subscribers and business associates. These web applications and APIs engage in communication with internal application servers and databases. Notably, both subscribers (Subs) and business partners (BPs) have the capability to establish accounts for designated public web applications. All of these components are hosted within NBN's network infrastructure, maintained on their premises.
3.1 Targets
NBN Scope
External Network Pen Testing Enumeration and assessment of all external facing hosts and services.
External Web App Pen Testing Assessment and exploitation of all external facing Web Apps.
Internal Network Pen Test If an internal network access is achieved, continue assessment to find more vulnerabilities and determine impacts.
Severity:
In the context of penetration testing, severity plays a pivotal role in evaluating
the impact of identified vulnerabilities across the scope:
November 2023, Version 1.0
Outsourced Cybersecurity Services
2
A. External Network Penetration Testing:
Severity Assessment: Evaluates potential security implications. Severity levels range from critical to low, impacting the ease of exploitation and potential consequences.
B. External Web Application Penetration Testing:
Severity Assessment: Determines the significance of vulnerabilities. Ranging from high to low, it gauges the risks, with high-severity issues having the most severe impact.
C. Internal Network Penetration Testing:
Severity Assessment: Crucial for understanding potential risks within the internal network. Identifies and prioritizes vulnerabilities based on severity to guide remediation efforts.
In all three components, severity assessments help organizations determine the
criticality of vulnerabilities, prioritize remediation efforts, and allocate
resources effectively. This ensures that high-risk vulnerabilities are addressed
promptly, reducing the potential impact of security breaches, while also
allowing organizations to focus on the most critical aspects of their security
posture.
NBN is only interested in security flaws that have “medium” security impact or higher but will still accept any vulnerability or weakness.
Attacks that compromise a single account are considered “low”.
Information-only, suggested best practices, and theoretical-only exploits are considered “low”.
3.2
Additional Pen Testing
Furthermore, for additional penetration testing, we will employ Kali Linux, work with both Apple and Windows operating systems, and leverage various commercial applications. This comprehensive approach ensures a thorough assessment of any potential security vulnerabilities, leaving no stone unturned.
Assets of NBN that will be tested:
o
The NBN TVee app caters to subscribers through both web and mobile platforms, sharing a common infrastructure. Subscribers use it for media searching and streaming.
November 2023, Version 1.0
Outsourced Cybersecurity Services
2
o
In contrast, the NBN ADs app is designed exclusively for business partners, who can create, manage, and customize advertisements for specific subscribers while tracking engagement metrics.
o
The NBN Help app, accessible through the web, serves both subscribers and business partners, facilitating account adjustments and real-time communication with customer support services.
4.
Out of Scope:
o
NBN employees use a vendor-hosted VPN provider which is not in scope.
o
NBN offices are all leased spaces that include physical security which is not in scope. o
Existing NBN Subs and BP accounts are outside scope.
o
Distributed Denial of Service attacks are out of scope.
3.3 Rules of Engagement
Rules of Engagement (ROE) for a penetration test serve as a set guidelines and expectations for the test. In brief, here are key aspects of ROE:
-
Scope Definition: Clearly define what systems and areas will be tested and any that are off-limits.
-
Authorization: Obtain written permission to conduct the test within specified timeframes.
-
Legal Compliance: Ensure all test activities adhere to relevant laws and regulations.
-
Non-Destructive Testing: Confirm the test's purpose is vulnerability identification, not causing harm.
-
Data Privacy and Confidentiality: Protect sensitive data and establish handling protocols.
-
Notification and Monitoring: Set rules for client notification and monitoring of test activities.
-
Reporting Requirements: Define report content, format, and submission deadlines.
November 2023, Version 1.0
Outsourced Cybersecurity Services
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
2
-
Discretion and Anonymity: Specify confidentiality and the use of credentials.
-
Emergency Procedures: Plan for handling unexpected security incidents or emergencies.
-
Communication and Collaboration: Clarify how and when communication between the client and testers occurs.
-
End-of-Test Procedures: Detail steps for concluding the test, including disabling access and tools.
-
Post-Test Review: Schedule a review meeting to discuss findings and remediation.
ROE ensures a structured and secure penetration test that aligns with organizational objectives and maintains safety and compliance.
3.4 Assumptions
We operate on the assumption that every project activity will be conducted with
full compliance to NBN's explicit consent and in strict adherence to all applicable legal regulations. Furthermore, all customer data handled will be subject to NBN's established terms and conditions.
We anticipate the active engagement of NBN stakeholders and personnel throughout the testing phase, ensuring their accessibility and immediate availability for any required assistance. This proactive collaboration is vital to address any potential concerns or requirements promptly.
4.Methodology: 4.1 Testing Approach
For our testing methodology, we will be utilizing Black Box Testing. In this approach, our testers will have no prior insight into the internal workings of the application under scrutiny. We aim to evaluate the application from an external standpoint, mirroring the tactics employed by real-world attackers. To conduct this assessment, we will leverage a range of tools, including Nmap, Metasploit, Burp Suite, and custom scripts.
November 2023, Version 1.0
Outsourced Cybersecurity Services
2
4.2 Actions
Here's a concise breakdown of the Black Box Penetration Testing plan for NBN's external-facing applications (NBN TVee, NBN Ads, NBNHelp), with the possibility of extending the assessment to internal systems if access is gained:
Action 1: Preparing and Defining the Project Scope
Initial Consultation:
Initiate discussions with the designated NBN liaison to outline the testing goals, project schedules, and expected outcomes. Establish mutual agreement and endorse the Rules of Engagement (ROE).
Scope Clarification:
Precisely delineate the parameters of the examination. In this context, the focus lies on NBN's outward-facing applications, and if feasible, extend the assessment to encompass internal applications.
Action 2: Gathering Information
Target Profiling and Open-Source Intelligence:
Initiate an inventory of potential targets and engage in basic open-source intelligence gathering, including preliminary inquiries and web searches. Identify entry points, such as URLs, login portals, and API interfaces for NBN's TVee, Ads, and Help applications. Engage with these applications as an ordinary user, making note of
their functionalities, any data entry forms, or user profile settings.
Technology Identification:
Employ various techniques for identifying the technological aspects of the applications, including domain name analysis, WHOIS data exploration, DNS cache analysis, Google Dorking, and utilizing tools like Shodan. The objective is to discern the technologies in use, such as web servers, frameworks, IP addresses, HTTP headers, and error messages.
Action 3: Vulnerability Scanning
Automated Network Scanning:
Employ automated scanning tools, including Nmap, NSE, Recon-ng, or Burp Suite, to conduct a systematic examination of the application, seeking out prevalent vulnerabilities.
Preliminary Discoveries:
Compile the results obtained from the automated scans, readying them for subsequent manual scrutiny and in-depth investigation.
Action 4: Exploitation and Client-Side Assessment
Exploitation:
Proceed with the evaluation by performing standard web application attacks, including SQL Injection, Cross-Site Scripting (XSS), Cross-
Site Request Forgery (CSRF), and examining potential file upload November 2023, Version 1.0
Outsourced Cybersecurity Services
2
vulnerabilities. Employ Metasploit to identify and exploit prevalent vulnerabilities in order to gauge the system's susceptibility.
Action 5: Reporting
Comprehensive Findings Documentation:
Thoroughly record all discovered issues, elucidating the methodologies employed to uncover and exploit these vulnerabilities.
Risk Evaluation:
Assess the level of risk associated with each finding by utilizing a standardized metric such as the Common Vulnerability Scoring System (CVSS).
Recommendations for Remediation: Deliver in-depth, actionable remediation guidance for every identified vulnerability, outlining precise strategies for mitigation and enhancement.
Action 6: Debrief and Feedback Session
Debriefing Session:
Convene a meeting with NBN to provide a comprehensive overview of the findings. During this session, engage in discussions concerning potential consequences and present recommendations for remediation.
Collecting Input:
Seek input from NBN regarding their perceptions of the testing process and the outcomes. Encourage an open exchange of feedback to enhance the overall testing experience.
Action 7: Post Engagement Phase
Submission of Final Report:
Deliver the all-encompassing final report, encompassing both an executive summary and an in-depth account of the technical findings.
Continued Assistance:
Extend ongoing support to address any queries, provide
clarifications, or attend to supplementary questions pertaining to the findings and the recommended actions.
4.3 Risk Methodology
1. CVSS (Common Vulnerability Scoring System):
CVSS is an open framework designed to communicate the characteristics and severity of software
vulnerabilities. It offers two versions for rating severity, with distinct score ranges:
CVSS v2.0 Ratings:
None: Score Range 0.0
Low: Score Range 0.0-3.6
November 2023, Version 1.0
Outsourced Cybersecurity Services
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
2
Medium: Score Range 4.2-6.6
High: Score Range 8.0-10.0
Critical: Score Range 9.0-10.0
CVSS v3.0 Ratings:
None: Score Range 0.0
Low: Score Range 0.2-3.4
Medium: Score Range 4.4-6.8
High: Score Range 7.0-9.6
Critical: Score Range 9.0-10.0
These scoring methods help us assess the severity of identified vulnerabilities using standardized metrics.
2. The NIST Cybersecurity Framework:
serves as a foundational policy framework that offers comprehensive guidance for computer security.
5. Reference:
o
https://brightspace.nyu.edu/d2l/le/lessons/292675/
topics/8658235
o
https://www.lockheedmartin.com/en-us/capabilities/
cyber/cyber-kill-chain.html
o
https://www.nist.gov/privacy-framework/nist-sp-800-30
o
PTES (Penetration Testing Execution Standard): A comprehensive framework for conducting penetration tests.
o
https://www.first.org/cvss/
o
https://csrc.nist.gov/publications/detail/sp/800-115/final
5.1 Glossary of Terms
For information regarding any terms that are used in the Proposal,
please click the link below
https://csrc.nist.gov/glossary
5.2 Tools Expected To Use
Here's a chart listing various tools and technologies used in different
phases of penetration testing:
November 2023, Version 1.0
Outsourced Cybersecurity Services
2
Phase
Tools and Techniques
Information Gathering
Whois, Google search, OSINT, Shodan, Exiftool, FOCA, Recon-ng, Amass
Network
Scanning
TCPdump, nmap, ncat
Vulnerability
Scanning
OpenVas
Exploitation
Metasploit(including Meterpreter), Fuzzing, BOF, edb (Assembly), msfvenom, BURP, OWASP ZAP, C and Python Programs
Password Cracking
John the Ripper (JTR), THC-hydra, Hashcat.
These tools and technologies are utilized at various stages of a
penetration testing engagement to assess and enhance security
defenses.
5.3 Additional Interview Questions for Bill Gibson/NBN
1. What is NBN's strategy for staying ahead of emerging
cybersecurity threats and vulnerabilities?
2. How does NBN ensure that penetration testing results are
integrated into the organization's ongoing security practices and
policies?
3. Can you provide an example of how NBN has improved its
security posture based on findings from past penetration tests?
4. What measures does NBN have in place to ensure that sensitive
customer data remains protected during penetration testing?
5. How does NBN handle incident response and remediation based on
the results of penetration tests to minimize potential risks?
November 2023, Version 1.0
Outsourced Cybersecurity Services