IT Security Solution
Use Penetration Testing to Find Vulnerabilities In Applications
The purpose of F.R ORBIT INTERNATIONAL Security’s application penetration test is to dive into specific applications (such as a web application) and assess how well it can defend itself against various real-world cyber attacks.
This service complements the external and internal penetration tests, and is recommended for when a deeper, application-specific security assessment is required. Systems, architecture, and workflow of the specific application are analyzed and tested, allowing the F.R ORBIT INTERNATIONAL Security team to provide you with deep insight into the application defenses and weaknesses.
The only truly secure system is one that is completely disconnected, powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.
Once the analysis has been completed, you will receive a bespoke stakeholder-ready report on the findings from the application penetration test. Also included will be expert recommendations to address weaknesses.
Discovery
During discovery we footprint and enumerate your environment looking for all possible avenues of penetrating your defenses.
Testing
We take on the role of the bad actors, uncovering critical weaknesses in your security defenses and exploiting them whenever possible.
Reporting
Upon completion we provide a report detailing our exploits and detail remediation steps to improve your security posture.
How we work
We employ the world’s best and most certified white-hat hackers to uncover holes in your IT security.Here are the steps involved:
- Understand and prioritise your concerns and penetration tests goals (eg compliance, vulnerability, internal threat, etc)
- Agree on penetration test approach and timings.
- Assign expert cyber security penetration tester tasks best suited for the tasks.
- Perform the penetration tests to uncover weaknesses in your cyber defenses.
- Give you a stakeholder-ready report providing detailed review of your cybersecurity posture
- Work with you as Trusted IT Security Advisor, if an on-going services are required
Benefits Of Working With Us
- Trusted cyber advisors for world-leading firms
- Experts in pen testing applications
- Gain deep insight to improve your applications’ security posture
- Exploits and recommendation fully documented
IT Penetration Testing:
Objective of the Test The goal of this exercise is to ensure that reasonable protection is in place for general and particular threats that may exist for Bank’s systems including but not limited to the following:
- To test and verify the security of the listed systems so as to ensure the effectiveness of deployed security measures.
- Verify the perimeter security controls.
- Verify the security setup and configuration of internal systems. It will include the associated networks and systems with a perspective of ensuring CIA and authenticity of data and information systems.
- Verify the security associated with System, Web Servers, Web applications, Database and network equipment those are used by the Bank.
- Identify and recommend safeguards, suited to Bank’s environment, with the aim to strengthen the level of protection of the Services.
Expected outcome of the assessment
The information maintained should be secured from external and internal threats (intruders, hackers, script-kiddies, theft etc.) to network, systems and applications; To know the process of identification of vulnerabilities that may be visible from the internet as well as from the internal network;
To evaluate the Bank’s security associated with external and internal network;
To comply with regulatory requirements over information security;
To implement a formal, repeatable security awareness process and capability to ensure ongoing diligence in managing risks associated with Bank’s security position. To assess risk of different categories of data according to different levels in the company. To make better understand of security measures in order to ensure integrity and confidentially of data
Scope of work
The scope of work includes external penetration testing through external IP address, internal penetration testing through block of private IPs’ which connect bank’s network, systems and running applications. Also it is identifying, understanding and verifying the weaknesses, misconfigurations and vulnerabilities associated with the accessible hosts at network, operating system and application levels. The following areas are to be considered for penetration test:
- Network device configuration reviews performed through the collection and analysis of data from a sampling of network devices, such as firewalls, routers, switches and wireless access points.
- Network based vulnerability scanning of a sample of internal systems to assess systems, network device and applications for vulnerabilities and security weaknesses.
- Review of automated scan results with manual testing to reduce false positive results.
- Analysis of findings to determine and document information regarding risk severity level, systems impacted and business risk summary for each finding.
- Host discovery to identify live hosts on in-scope IP address ranges
- Network based vulnerability scanning of Internet accessible network devices for vulnerabilities and security weaknesses.
- Review of automated scan results with manual testing to reduce false positive results.
- Manual testing to identify vulnerabilities and security weaknesses that cannot be discovered through automated testing.
- Analysis of findings to determine and document information regarding risk severity level, systems impacted and business risk summary for each finding.
- Certified ethical hacker training must be provide for 2 persons. Trainer must be certified trainer from EC council and have minimum 4 years’ experience in training Determination and documentation of practical recommendations for remediation and remediation effort level for each finding are to be produced.
The Penetration test include
During Penetration Testing, Penetration Tester should consider the following testing but not limited to:
- Perform information gathering and penetration testing on devices and hosts visible from within the network.
- Attempting to guess passwords of systems using password cracking tools.
- Searching for back door traps in the programs.
- Attempting to overload the system using DDoS (Distributed Denial of Service) & DoS (Denial of Service) attacks.
- Checking if commonly known holes in the software, especially the browser and the e-mail software, exist.
- Checking the weaknesses/ vulnerabilities of the infrastructure.
- Taking control of ports.
- Cause of application crash.
- Vulnerable scanning of hosts/IPs for Internal/External
- Injecting malicious codes to application and database servers.
- Spoofing & Network Sniffing
- All Trojan activities
Auditing Security
Input validation by OS command injection, script injection, SQL injection, LDAP injection, cross-site scripting etc.
- Attempting to guess passwords of systems using password cracking tools.
- Attempting to overload the system using DDoS (Distributed Denial of Service) & DoS (Denial of Service) attacks.
- Determine the need for error/exception reports related to data integrity and evaluate whether this need has been filled.
- Review and evaluate the controls in place over data feeds to and from interfacing systems.
- Ensure that the application provides a mechanism that authenticates users, based, at a minimum, on a unique identifier for each user and a confidential password.
- Review and evaluate the application’s authorization mechanism to ensure users are not allowed to access any sensitive transactions or data without first being authorized by the system’s security mechanism.
- Ensure that the system’s security/authorization mechanism has an administrator function with appropriate controls and functionality.
- Determine whether the security mechanism enables any applicable approval processes.
- Verify that the application has appropriate password controls. Also, determine whether default application account passwords have been changed.
- Ensure that users are automatically logged off from the application after a certain period of inactivity.
- Evaluate the use of encryption techniques to protect application data.
- Ensure that the application software cannot be changed without going through a standard checkout/ staging/testing/approval process after it is placed into production.
- Controls over automated processing /updating of records, review or check of critical calculations such as interest rates, levying of various charges etc., review of the functioning of automated scheduled tasks, batch processes, output reports design, reports distribution, etc.
- Review of all controls including boundary controls, input controls, communication controls, database controls, output controls, and interfaces controls from security perspectives.
- Review effectiveness and efficiency of the Applications. Identify ineffectiveness of the intended controls in the software and analyze the cause for its ineffectiveness. Review adequacy and completeness of controls. – Please give me some thought on this point.
- Adequacy of Audit trails and meaningful logs.
- As part of documenting the flow of transactions, information gathered should include both computerized and manual aspects of the system. Focus should be on data input (electronic or manual), processing, storage and output which are of significance to the audit objective.
List of Applications, Systems, Equipment under Testing Scope at Production environment
Application
| # | First | Last | Handle |
|---|---|---|---|
| 1 | Mark | Otto | @mdo |
| 2 | Jacob | Thornton | @fat |
Application’s with related System
| # | First | Last | Handle |
|---|---|---|---|
| 1 | Mark | Otto | @mdo |
| 2 | Jacob | Thornton | @fat |
System Information
| # | First | Last | Handle |
|---|---|---|---|
| 1 | Mark | Otto | @mdo |
| 2 | Jacob | Thornton | @fat |
Network Equipment
| # | First | Last | Handle |
|---|---|---|---|
| 1 | Mark | Otto | @mdo |
| 2 | Jacob | Thornton | @fat |
Penetration Testing Deliverables
Final Report of Penetration Testing will follow the following structure:
- Executive Summary
- Technical Findings
- Supplemental Data
- Appendices
Report includes:
- The detail assessment and analysis of the weaknesses detected,
- Evaluate the impact and probability of exploitation associated with each security weakness,
- Formulate corrective actions,
- And provide recommendations for mitigating the risks associated with the vulnerability.
Report should be presented in logical sections as described below for management and technical audiences and are written in clear, understandable English.
- Executive summary – a high-level summary of results, recommendations and the overall security posture of the assessed environment.
- Technical findings – a detailed, tabular breakdown of discovered vulnerabilities, their probability of exploitation, the potential impact, appropriate technical fix and mitigation advice.
- Supplemental data – a supplement containing the technical details of any key findings and a comprehensive analysis of critical flaws. This section also often includes sample data recovered during the exploitation of critical or high-risk vulnerabilities.
- Appendices – detailed records of all activities conducted by the testing team and the tools used during the engagement
Technical Proposal
Proposer’s proposal in response to this RFP will be included each of the following sections:
- Executive Summary
- Project Deliverables
- Project Management Approach
- Detailed and Itemized Pricing
- Appendix: References
- Appendix: Project Team Staffing
Terms and Conditions:
- The Company will perform vulnerability Assessment and Penetration test.
- The academic qualification for the testers of the company must be Graduation in Computer Science / IT / CSE / CIS with Masters in Information Security / Security Science and must have availability of sufficient high quality Vendor certified personnel with certifications and training from authorized partner such as Certified Ethical Hacker (CEH), Certified Information Systems Auditor (CISA) , ISO 27001 Lead Auditor and proven references of conducting the similar activities preferably in a bank. Special training on penetration testing tool like Back Track and special training on penetration testing of Web application.
- he Company must use penetration testing tools.
- At least 1 (One)/ 2 (two) relevant Certified Professional should exist as regular employees of the Company.
- The Company must have strong presence and support offices in Dhaka with minimum 1/2 certified technical personnel (Mentioned in 5) for maintenance and support for the proposed Goods and Services.
- Penetration Test should be performed after the regular transaction period to avoid any interruption during testing.
- The company will have to start the job within 15 days of the date of work order and complete within stipulated time.
- The Company must complete all the testing and submit final report within 02 (three) months from the date of issuance of work order.
- Any data provided to the company by Bank remains the property of Bank and may not be quoted, published or otherwise made known to any person who is not an employee of the Bank/Vendor without Bank’s prior written consent.
- Ownership of all Intellectual Property Rights in the System and/or Equipment remains at all times with the Bank (if applicable). “Intellectual Property Rights” (IPR) means all intellectual and industrial property rights of any kind whatsoever including patents, supplementary protection certificates, registered trademarks, registered designs, models, unregistered design rights, unregistered trademarks, rights to prevent passing off or unfair competition and copyright (whether in drawings, plans, specifications, designs and computer software or otherwise), database rights, topography rights, any rights in any invention, discovery or process, rights in formulae, methods, plans, inventions, discoveries, improvements, processes, performance methodologies, techniques, specifications, technical information, tests, results, reports, component lists, manuals and instructions, and applications for and rights to apply for any of the foregoing.
- Bill(s) shall be paid in net after deduction of VAT, tax and other allowable government charges, if any.
- The Bank authority reserves the right to relax, change or drop any of the terms and conditions of the schedule without any further notice.
- The Bank authority reserves the right to seek clarification / ask further queries regarding any aspect of the tender from any participating company and use the answer(s) in evaluation of the offer/tender.
- The Bank authority reserves the right to accept or reject any or all offers/tenders, in part or in full, without showing any reason.
| # | First | Last | Handle |
|---|---|---|---|
| 1 | Mark | Otto | @mdo |
| 2 | Jacob | Thornton | @fat |
