Posted Date : December 03,2022
Product (RFP/RFQ/RFI/Solicitation/Tender/Bid Etc.) ID : NET-7424
Government Authority located in Nebraska; USA based organization looking for expert vendor for information security assessment and penetration testing services.
[A] Budget: Looking for Proposal
[B] Scope of Service:
(1) Vendor needs to provide information security assessment and penetration testing services to the government authority located in Nebraska.
1. External Network Vulnerability Assessment and Penetration Testing
• Information gathering: Identify live hosts, operating systems, services provided, access control mechanisms, access servers and any exposed interactions between systems.
• Generic vulnerability testing: Determine the presence of known vulnerabilities and document how they could be exploited. This includes vulnerabilities related to legitimately provided services such as HTTP, HTTPS, DNS, SMTP mail exchangers, Remote Access, and etc.
• Miss-configuration tests: Identify and exploit typical miss-configuration problems.
• Authentication and access control schemes tests: Attempt to subvert authentication and access control mechanisms based on common attacks that exploit the lack of a strict security policy or enforcement.
2. Internal Network Vulnerability Assessment and Penetration Testing
• Acquire network access: locate and connect to network connections to access local networks.
• Information gathering tests: Identify live hosts, map network topology, identify operating system, services provided, access control mechanisms, and perform port scans on local networks.
• Generic vulnerability tests: Determine the presence of known vulnerabilities and how to exploit them. This includes vulnerabilities related to legitimately provided services such as HTTP, HTTPS, SMB, ARP, FTP, SMTP mail exchangers and gateways, DNS, and print sharing services, etc.
• Network characteristics and topology tests: Determine the presence and exploitable vulnerabilities relate to network topology, network components configuration and design principles and protocol specific characteristics.
3. Wireless Network Assessment and Penetration Testing
• Information gathering: Identify all wireless networks that are available, map out public and private networks.
• Access Control tests: Determine if it is possible for a public user to connect to private network, identification bypass.
• Vulnerability and packet capturing: Determine the presence of known vulnerabilities and their exploitation as well as packet captures.
4. Application Penetration Testing
• Information leakage intended at determining if confidential information or information that might otherwise aid an attacker is disclosed by the application or its environment.
• Input validation, verifies that all user input is correctly validated, and sanitized, if necessary, to s
• Filtering layers, focused on verifying that the necessary filtering mechanisms are in place to proactively defend against common web application attacks.
• Parameter passing, testing that all parameter handling is performed in a secure manner. For example, looking for authorization information mishandled by the application, which instead of being stored server-side is sent by the user.
5. Client-Side Penetration Testing
• Information gathering
o Gather information from public sources (website, Google, newsgroups, mailing lists, etc.) for e-mail addresses of the customer and employee.
o Use phone and e-mail (spear phishing) tactics targeting select users to gather additional information about the user or Government Center.
• Attack and gain access
o Attempt to gain access to an employee’s machine via e-mail, phone, or other means.
o Install a remote agent on the comprised machine and be able to interact with the computer and then point out attack vectors a would-be attacker could achieve including.
6. Physical Penetration Testing
• Assesses all physical security controls, including locks, fences, security guards, cameras, and other security measures.
• Attempt to thwart these controls to gain physical access to restricted areas, identify sensitive data, and gain entry to a network.
(2) All questions must be submitted no later than December 9, 2022.
(3) Contract term will be one year.
[C] Eligibility:
- Onshore (USA Organization Only);
[D] Work Performance:
NA
Budget :
Deadline to Submit Proposals: January 23,2023
Cost to Download This RFP/RFQ/RFI/Solicitation/Tender/Bid Document : 5 US$
Product (RFP/RFQ/RFI/Solicitation/Tender/Bid Etc.) ID : NET-7424
Government Authority located in Nebraska; USA based organization looking for expert vendor for information security assessment and penetration testing services.
[A] Budget: Looking for Proposal
[B] Scope of Service:
(1) Vendor needs to provide information security assessment and penetration testing services to the government authority located in Nebraska.
1. External Network Vulnerability Assessment and Penetration Testing
• Information gathering: Identify live hosts, operating systems, services provided, access control mechanisms, access servers and any exposed interactions between systems.
• Generic vulnerability testing: Determine the presence of known vulnerabilities and document how they could be exploited. This includes vulnerabilities related to legitimately provided services such as HTTP, HTTPS, DNS, SMTP mail exchangers, Remote Access, and etc.
• Miss-configuration tests: Identify and exploit typical miss-configuration problems.
• Authentication and access control schemes tests: Attempt to subvert authentication and access control mechanisms based on common attacks that exploit the lack of a strict security policy or enforcement.
2. Internal Network Vulnerability Assessment and Penetration Testing
• Acquire network access: locate and connect to network connections to access local networks.
• Information gathering tests: Identify live hosts, map network topology, identify operating system, services provided, access control mechanisms, and perform port scans on local networks.
• Generic vulnerability tests: Determine the presence of known vulnerabilities and how to exploit them. This includes vulnerabilities related to legitimately provided services such as HTTP, HTTPS, SMB, ARP, FTP, SMTP mail exchangers and gateways, DNS, and print sharing services, etc.
• Network characteristics and topology tests: Determine the presence and exploitable vulnerabilities relate to network topology, network components configuration and design principles and protocol specific characteristics.
3. Wireless Network Assessment and Penetration Testing
• Information gathering: Identify all wireless networks that are available, map out public and private networks.
• Access Control tests: Determine if it is possible for a public user to connect to private network, identification bypass.
• Vulnerability and packet capturing: Determine the presence of known vulnerabilities and their exploitation as well as packet captures.
4. Application Penetration Testing
• Information leakage intended at determining if confidential information or information that might otherwise aid an attacker is disclosed by the application or its environment.
• Input validation, verifies that all user input is correctly validated, and sanitized, if necessary, to s
• Filtering layers, focused on verifying that the necessary filtering mechanisms are in place to proactively defend against common web application attacks.
• Parameter passing, testing that all parameter handling is performed in a secure manner. For example, looking for authorization information mishandled by the application, which instead of being stored server-side is sent by the user.
5. Client-Side Penetration Testing
• Information gathering
o Gather information from public sources (website, Google, newsgroups, mailing lists, etc.) for e-mail addresses of the customer and employee.
o Use phone and e-mail (spear phishing) tactics targeting select users to gather additional information about the user or Government Center.
• Attack and gain access
o Attempt to gain access to an employee’s machine via e-mail, phone, or other means.
o Install a remote agent on the comprised machine and be able to interact with the computer and then point out attack vectors a would-be attacker could achieve including.
6. Physical Penetration Testing
• Assesses all physical security controls, including locks, fences, security guards, cameras, and other security measures.
• Attempt to thwart these controls to gain physical access to restricted areas, identify sensitive data, and gain entry to a network.
(2) All questions must be submitted no later than December 9, 2022.
(3) Contract term will be one year.
[C] Eligibility:
- Onshore (USA Organization Only);
[D] Work Performance:
NA
Budget :
Deadline to Submit Proposals: January 23,2023
Cost to Download This RFP/RFQ/RFI/Solicitation/Tender/Bid Document : 5 US$