37
CONTRACT FOR Penetration Testing & Information Security Assessment This Contract, dated , 2019, is between the City of Bryan, a Texas home-rule municipal corporation, (the City) and BreakPoint Labs, LLC (the FIRM), whereby the FIRM agrees to provide the City with certain services as described herein and the City agrees to pay the FIRM for those services. 1. Scope of Services In consideration of the compensation stated in Paragraph 2, the FIRM agrees to provide the City with the services as described in Exhibit A – RFQ 19-017, BreakPoint Labs, LLC - Submittal to the City of Bryan which is incorporated herein by reference for all purposes, and which services may be more generally described as follows: “RFQ 19-017 Penetration Testing & Information Security Assessment” 2. Payment In consideration of the FIRM’s provision of the services in compliance with all terms and conditions of this Contract, the City shall pay the FIRM according to the terms set forth in Exhibit A. Except in the event of a duly authorized change order, approved by the City in writing, the total cost of all professional services and expenses provided under this Contract may not exceed $170,527.00. 3. Time of Performance A. All work and services provided under this Contract must be completed as outlined in Exhibit A. B. Time is of the essence of this Contract. The FIRM shall be prepared to provide the professional services in the most expedient and efficient manner possible in order to complete the work by the project timeline specified in Exhibit A. 4. Term of Contract A. The initial term of the contract is one (1) year. The City also reserves the right to extend this contract for an additional two (2) one (1) year periods for a total possible term of three (3) years. 5. Warranty, Indemnification, & Release A. As an experienced and qualified FIRM, the FIRM warrants that the information provided by the FIRM reflects high professional and industry standards, procedures, and performances. The FIRM warrants that the performance of all services under this Contract will be pursuant to a high standard of performance in the profession. The FIRM warrants that the FIRM will exercise diligence and due care and perform in a good and workmanlike manner all of the services pursuant to this Contract. Approval of the City shall not constitute, or be deemed, a release of the responsibility and liability of the FIRM, its employees, agents, or associates for the exercise of skill and diligence to promote the accuracy and competency of their services, or any document, nor shall the City's approval be deemed to be the assumption

CONTRACT Penetration Testing & Information Security …...Penetration Testing & Information Security Assessment This Contract, dated , 2019, is between the City of Bryan, a Texas home-rule

  • Upload
    others

  • View
    27

  • Download
    1

Embed Size (px)

Citation preview

CONTRACT FOR

Penetration Testing & Information Security Assessment

This Contract, dated , 2019, is between the City of Bryan, a Texas home-rule municipal corporation, (the City) and BreakPoint Labs, LLC (the FIRM), whereby the FIRM agrees to provide the City with certain services as described herein and the City agrees to pay the FIRM for those services.

1. Scope of Services

In consideration of the compensation stated in Paragraph 2, the FIRM agrees to provide the Citywith the services as described in Exhibit A – RFQ 19-017, BreakPoint Labs, LLC - Submittal to the City of Bryan which is incorporated herein by reference for all purposes, and which services may be more generally described as follows:

“RFQ 19-017 Penetration Testing & Information Security Assessment”

2. Payment

In consideration of the FIRM’s provision of the services in compliance with all terms andconditions of this Contract, the City shall pay the FIRM according to the terms set forth in Exhibit A. Except in the event of a duly authorized change order, approved by the City in writing, the total cost of all professional services and expenses provided under this Contract may not exceed $170,527.00.

3. Time of Performance

A. All work and services provided under this Contract must be completed as outlined inExhibit A.

B. Time is of the essence of this Contract. The FIRM shall be prepared to provide theprofessional services in the most expedient and efficient manner possible in order to complete the work by the project timeline specified in Exhibit A.

4. Term of Contract

A. The initial term of the contract is one (1) year. The City also reserves the right to extendthis contract for an additional two (2) one (1) year periods for a total possible term of three (3) years.

5. Warranty, Indemnification, & Release

A. As an experienced and qualified FIRM, the FIRM warrants that the information providedby the FIRM reflects high professional and industry standards, procedures, and performances. The FIRM warrants that the performance of all services under this Contract will be pursuant to a high standard of performance in the profession. The FIRM warrants that the FIRM will exercise diligence and due care and perform in a good and workmanlike manner all of the services pursuant to this Contract. Approval of the City shall not constitute, or be deemed, a release of the responsibility and liability of the FIRM, its employees, agents, or associates for the exercise of skill and diligence to promote the accuracy and competency of their services, or any document, nor shall the City's approval be deemed to be the assumption

of responsibility by the City for any defect or error in the aforesaid documents prepared by the FIRM, its employees, associates, agents, or subcontractors.

B. The FIRM shall promptly correct any defective services or documents furnished by the

FIRM at no cost to the City. The City's approval, acceptance, use of, or payment for, all or any part of the FIRM's services hereunder or of the scope of work itself shall in no way alter the FIRM's obligations or the City's rights hereunder.

C. In all activities or services performed hereunder, the FIRM is an independent contractor

and not an agent or employee of the City. The FIRM and its employees are not the agents, servants, or employees of the City. As an independent contractor, the FIRM shall be responsible for the professional services and the final work product contemplated under this Contract. Except for materials furnished by the City, the FIRM shall supply all materials, equipment, and labor required for the professional services to be provided under this Contract. The FIRM shall have ultimate control over the execution of the professional services. The FIRM shall have the sole obligation to employ, direct, control, supervise, manage, discharge, and compensate all of its employees or subcontractors, and the City shall have no control of or supervision over the employees of the FIRM or any of the FIRM’s subcontractors.

D. The FIRM must at all times exercise reasonable precautions on behalf of, and be solely responsible for, the safety of its officers, employees, agents, subcontractors, licensees, and other persons, as well as their personal property, while in the vicinity of the Project or any of the work being done on or for the Project. It is expressly understood and agreed that the City shall not be liable or responsible for the negligence of the FIRM, its officers, employees, agents, subcontractors, invitees, licensees, and other persons.

E. Responsibility for damage claims (indemnification): FIRM shall defend, indemnify

and save harmless the City and all its officers, agents, and employees from all suits, actions, or claims of any character, name and description brought for or on account of any injuries or damages received or sustained by any person or persons or property resulting from the FIRM’s negligent performance of the work, or by or on account of any claims or amounts recovered under the Worker’s Compensation Law or any other law, ordinance, order or decree, and his sureties shall be held until such suit or suits, action or actions, claim or claims for injury or damages as aforesaid shall have been settled and satisfactory evidence to the effect furnished the City. The FIRM shall defend, indemnify and save harmless the City, its officers, agents and employees in accordance with this indemnification clause only for that portion of the damage caused by FIRM’s negligence.

F. Release. The FIRM releases, relinquishes, and discharges the City, its officers, agents, and employees from all claims, demands, and causes of action of every kind and character, including the cost of defense thereof, for any injury to, sickness or death of the FIRM or its employees and any loss of or damage to any property of the FIRM or its employees that is caused by or alleged to be caused by, arises out of, or is in connection with the FIRM’s negligent performance of the work. Both the City and the FIRM expressly intend that this release shall apply regardless of whether said claims, demands, and causes of action are covered, in whole or in part, by insurance.

6. FIRM’s Insurance The Contractor agrees to maintain the minimum insurance coverage and comply with each condition set forth below during the duration of this contract with the City. All parties to this contract hereby agree that the Contractor's coverage will be primary in the event of a loss, regardless of the application of any other insurance or self-insurance.

Contractor must deliver to City a certificate(s) of insurance evidencing such policies are in full force and effect within 10 business days of notification of the City’s intent to award a Contract. No contract shall

be effective until the required certificate(s) have been received and approved by the City. Failure to meet the insurance requirements and provide the required certificate(s) and any necessary endorsements within 10 business days may cause the contract to be rejected.

The City reserves the right to review these requirements and to modify insurance coverage and their limits when deemed necessary and prudent.

A. Workers’ Compensation Insurance & Employers’ Liability Insurance - Contractor shall

maintain Workers’ Compensation insurance for statutory limits and Employers’ Liability insurance with limits not less than $500,000 each accident for bodily injury by accident or $500,000 each employee for bodily injury by disease. Contractor shall provide Waiver of Subrogation in favor of the City and its agents, officers, officials, and employees.

B. Commercial General Liability Insurance - Contractor shall maintain Commercial General

Liability (CGL) with a limit of not less than $1,000,000 per occurrence and an annual aggregate of at least $2,000,000. CGL shall be written on a standard ISO “occurrence” form (or a substitute form providing equivalent coverage) and shall cover liability arising from premises, operations, independent contractors, products-completed operations, personal and advertising injury, and liability assumed under an insured contract including the tort liability of another assumed in a business contract. No coverage shall be deleted from the standard policy without notification of individual exclusions and acceptance by the City. The City and its agents, officers, officials, and employee shall be listed as an additional insured.

C. Business Automobile Liability Insurance - Contractor shall maintain Business Automobile

Liability insurance with a limit of not less than $1,000,000 each accident. Business Auto Liability shall be written on a standard ISO version Business Automobile Liability, or its equivalent, providing coverage for all owned, non-owned and hired automobiles. Contractor shall provide Waiver of Subrogation in favor of the City and its agents, officers, officials, and employees.

D. Professional Liability Insurance - Contractor shall maintain Professional Liability (errors &

omissions) insurance with a limit of not less than $1,000,000. If written on a “Claims-Made” form, Contractor agrees to maintain a retroactive date equivalent to the inception date of the contract (or earlier) and maintain continuous coverage or a supplemental extended reporting period for a minimum of two years after the completion of this contract. Contractor will be responsible for furnishing certification of coverage for 2 years following contract completion.

E. Policy Limits - Required limits may be satisfied by a combination of primary and umbrella or excess liability policies. Contractor agrees to endorse City and its agents, officers, officials, and employees as an additional insured, unless the Certificate states the Umbrella or Excess Liability provides coverage on a pure “True Follow Form” basis.

F. Deductibles, Coinsurance Penalties & Self-Insured Retention - Contractor may maintain

reasonable and customary deductibles, subject to approval by the City. Contractor shall agree to be fully and solely responsible for any costs or expenses as a result of a coverage deductible, coinsurance penalty, or self-insured retention.

G. Subcontractors - If the Contractor’s insurance does not afford coverage on behalf of any

Subcontractor(s) hired by the Contractor, the Subcontractor(s) shall maintain insurance coverage equal to that required of the Contractor. It is the responsibility of the Contractor to assure compliance with this provision. The City accepts no responsibility arising from the conduct, or lack of conduct, of the Subcontractor.

H. Acceptability of Insurers - Insurance coverage shall be provided by companies admitted to do business in Texas and rated A-:VI or better by AM Best Insurance Rating.

I. Evidence of Insurance – A valid certificate of insurance verifying each of the coverages required shall be issued directly to the City within 10 business days by the successful Contractor’s insurance agent or insurance company after contract award. Endorsements must be submitted with the certificate. No contract shall be effective until the required certificates have been received and approved by the City.

Renewal certificates shall be sent a minimum of 10 days prior to coverage expiration. Upon request, Contractor shall furnish the City with certified copies of all insurance policies. The certificate of insurance and all notices shall be sent to:

City of Bryan Risk Management PO Box 1000 Bryan, TX 77805 Emailed to: [email protected]

Failure of the City to demand evidence of full compliance with these insurance requirements or failure of the City to identify a deficiency shall not be construed as a waiver of Contractor’s obligation to maintain such insurance.

J. Notice of Cancellation, Non-renewal, Material Change, Exhaustion of limits – Contractor must provide minimum 30 days prior written notice to the City of policy cancellation, material change, exhaustion of aggregate limits, or intent not to renew insurance coverage. If City is notified a required insurance coverage will cancel or non-renew during the contract period, the Contractor shall agree to furnish prior to the expiration of such insurance, a new or revised certificate(s) as proof that equal and like coverage is in effect. The City reserves the right to withhold payment to Contractor until coverage is reinstated.

K. Contractor’s Failure to Maintain Insurance – If the Contractor fails to maintain the required

insurance, the City shall have the right, but not the obligation, to withhold payment to Contractor until coverage is reinstated or to terminate the Contract.

L. No Representation of Coverage Adequacy - The requirements as to types and limits, as well as

the City’s review or acceptance of insurance coverage to be maintained by Contractor, is not intended to nor shall in any manner limit or qualify the liabilities and obligations assumed by the Contractor under the Contract.

7. Termination

A. The City may terminate this Contract at any time upon thirty (30) calendar day’s written notice. Upon the FIRM’s receipt of such notice, the FIRM shall cease work immediately. The FIRM shall be compensated for the services satisfactorily performed prior to the termination date.

B. If, through any cause, the FIRM fails to fulfill its obligations under this Contract, or if the FIRM violates any of the agreements of this Contract, the City has the right to terminate this Contract by giving the FIRM five (5) calendar days written notice. The FIRM will be compensated for the services satisfactorily performed before the termination date.

B. No term or provision of this Contract shall be construed to relieve the FIRM of liability to

the City for damages sustained by the City because of any breach of contract by the FIRM.

The City may withhold payments to the FIRM for the purpose of setoff until the exact amount of damages due the City from the FIRM is determined and paid.

8. Miscellaneous Terms

A. This Contract has been made under and shall be governed by the laws of the State of Texas. The parties agree that performance and all matters related thereto shall be in Brazos County, Texas.

B. Notices shall be mailed to the addresses designated herein or as may be designated in

writing by the parties from time to time and shall be deemed received when sent postage prepaid U.S. Mail to the following addresses: The City of Bryan: The FIRM: Attn: Bernie Acre BreakPoint Labs, LLC P.O. Box 1000 8116 Arlington Blvd #255 Bryan, Texas 77805 Falls Church, VA 22042

C. No waiver by either party hereto of any term or condition of this Contract shall be deemed or construed to be a waiver of any other term or condition or subsequent waiver of the same term or condition.

D. This Contract represents the entire and integrated agreement, as attached in Exhibit A

between the City and the FIRM and supersedes all prior contracts, negotiations, representations, or agreements, either written or oral. This Contract may only be amended by written instrument approved and executed by the parties.

E. This Contract and all rights and obligations contained herein may not be assigned by the FIRM without the prior written approval of the City. F. The FIRM, its agents, employees, and subcontractors must comply with all applicable federal and state laws, the charter and ordinances of the City of Bryan, and with all applicable rules and regulations promulgated by local, state, and national boards, bureaus, and agencies. The FIRM must obtain all necessary permits and licenses required in completing the work and providing the services required by this Contract.

G. Reimbursable or other miscellaneous expenses incurred by the FIRM shall be included in the contract price; additional payment for such expenses will not be considered.

H. The parties acknowledge that they have read, understood, and intend to be bound by the terms and conditions of this Contract.

I. Pursuant to Texas Government Code 2270.002, a governmental entity may not enter into a contract with a company for goods or services unless the contract contains written verification the company that it: (1) does not boycott Israel: and (2) will not boycott Israel during the term of the contract

APPROVED AS TO FORM: Janis K. Hampton, City Attorney Date: CITY OF BRYAN: APPROVED FOR PROCESSING: Bernie Acre, Chief Information Officer Date: APPROVED FOR COUNCIL: Kean Register, City Manager Date: APPROVED: Andrew Nelson, Mayor Date: ATTEST: Mary L. Stratta, City Secretary Date: FIRM: By: (FIRMs – Corporate Seal) Printed Name: Title: Date: STATE OF TEXAS §

§ ACKNOWLEDGEMENT COUNTY OF __________ § This instrument was acknowledged before me on the _______ day of ____________, 2019, by __________________________________________ on behalf of _______________________. Notary Public in and for the State of Texas

Exhibit A

Response Submitted by BreakPoint Labs, LLC

City of Bryan, Texas Penetration Testing & Information Security Assessment - #19-017 Request For Proposal (RFP) Response

Submitted To: City of Bryan Purchasing Department 1309 E. Martin Luther King St. Bryan, TX 77803 Point of Contact: Karen Sonley [email protected]

Submitted By: BreakPoint Labs, LLC 8116 Arlington Blvd #255 Falls Church, VA 22042 Point of Contact: Andrew S. McNicol [email protected] (443) 223-0482

This data shall not be disclosed outside the City of Bryan and shall not be duplicated, used, or disclosed in whole or in part for any purpose other than the City of Bryans review; provided, that if a contract is awarded to this offeror as a result of, or in connection with the submission of this data, The City of Bryan shall have the right to duplicate, use, or disclose the data to the extent provided in the contract. This restriction does not limit the organizations right to use information contained in the data if it is obtained from another source without restriction. The data subject to this restriction is applicable to all following pages in this document.

Submitted: 2/8/2019

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 2

Table of Contents

TAB A - Qualifications and Experiences ................................................................................. 4 Company Background ...................................................................................................................................... 4

Customers Overview ........................................................................................................................................ 5

Qualifications ....................................................................................................................................................... 7

Proposed Team and Related Experience ................................................................................................. 8

Performance and Regulatory Authority Assurances ........................................................................ 10

TAB B - Rates and Expenses .................................................................................................... 11 Rates and Expenses Assurances ............................................................................................................... 11

TAB C - Project Timeline .......................................................................................................... 13

TAB D - Methodology and Technical Approach ................................................................... 15 1.0 Why Choose BreakPoint Labs (BPL)? ............................................................................................. 15

2.0 BPL's Security Assessment Methodology - A Risk Based Approach ................................... 16

3.0 External Penetration Testing and Vulnerability Assessments – Our Approach ............ 17

4.0 Internal Penetration Testing – Our Approach ............................................................................. 18

5.0 Wireless Network Penetration Testing .......................................................................................... 20

6.0 SCADA and Industrial Control System (ICS) Testing ................................................................ 20

7.0 Client-Side Penetration testing .......................................................................................................... 21

8.0 Application Penetration Testing ....................................................................................................... 21

9.0 Reporting and Analysis ......................................................................................................................... 22

9.1 Remediation Testing and Support .................................................................................................... 23

10.0 Data Security........................................................................................................................................... 23

10.1 Tools Leveraged .................................................................................................................................... 24

10.2 Assurances and Warrants ................................................................................................................. 25

10.3 BPL Goes Beyond Automated Tools .............................................................................................. 26

10.4 BPL Finds Vulnerabilities and Bad Guys ..................................................................................... 26

TAB E - References .................................................................................................................... 27

TAB F - Certification Page ........................................................................................................ 28

Appendix A – Proposed Timeline & Milestones .................................................................. 29

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 3

February 8th, 2019 City of Bryan - Purchasing Department Attn: Karen Sonley, Purchasing Supervisor 1309 E. Martin Luther King St. Bryan, TX 77803 RE: Letter of Transmittal Dear Ms. Sonley, BreakPoint Labs, LLC is pleased to submit the attached proposal in response to your solicitation for Penetration Test & Security Assessment - #19-017 as well as the completed RFP document. BreakPoint Labs, LLC believes it is the right candidate to deliver the City of Bryan a thorough penetration test and security assessment as requested, based on our high quality of service, technical excellence, and proven expertise in the field. BreakPoint Labs is confident you will approve of BreakPoint Labs, LLC methodologies and procedures, as well as our corporate culture, which have helped us receive outstanding feedback and accolades from our current and former clients. Regarding our proposal, BreakPoint Labs, LLC hereby understands, accepts, acknowledges, certifies, warrants and/or agrees to all the terms and conditions stipulated in the City of Bryan's RFP. BPL has provided or will provide any documentation further requested. Please feel free to contact us at any time to discuss this opportunity or pose any questions you or your staff may have regarding the BreakPoint Labs, LLC proposal. Respectfully, Thomas George Andrew McNicol Chief Executive Officer Chief Technology Officer BreakPoint Labs, LLC BreakPoint Labs, LLC [email protected] [email protected] 301-233-2347 443-223-0482

Build. Protect. Learn.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 4

TAB A - Qualifications and Experiences

Company Background BreakPoint Labs, LLC (BPL) is a cybersecurity service provider that takes tremendous pride in understanding and addressing its customers’ most complex cybersecurity challenges. BPL is a privately owned certified small business that was founded in 2015. BPL is headquartered in the Washington DC National Capital Region and provides cybersecurity services nation-wide. BreakPoint Labs currently employs 25 full time employees, 20 of which are fully dedicated to cybersecurity services. Since 2015, BPL has grown from 3 to 25 employees, with 100 percent retention, and continues to expand. All BPL engineers supporting cybersecurity services are subject to in-depth background investigations conducted by the US Government in order to achieve a Top Secret (TS) clearance.

Over the past 20 years, BreakPoint Labs personnel have supported the formation of multiple Department of Defense (DoD) Computer Network Defense Service Providers. The core elements of an effective network defense team include detection, protection, and response. BreakPoint Labs has extensive experience in both identifying vulnerabilities and defending the DoD's network infrastructure. BPLs efforts have resulted in over 250 assessment reports and thousands of impactful vulnerabilities remediated. From the perspective of both attacking and defending networks, BPL adds relevancy to this effort and will ensure that the City of Bryan's vulnerabilities are identified and information on remediation is given as quickly as possible.

In response to the City of Bryans Request for Proposal (RFP), “Penetration Test & Security Assessment - #19-017”, BreakPoint Labs has assigned its top technical talent to ensure the highest level of quality throughout the duration of the proposed assessment. Under the leadership of the BreakPoint Labs Chief Technical Officer (CTO), Andrew McNicol, the BreakPoint Labs Team brings the City of Bryan vast experience in full-spectrum cybersecurity assessments. From evaluating industry control systems (ICS) and supervisory control and data acquisition (SCADA) systems within the US Army Core of Engineers (USACE) via security assessments, to enterprise assessments of government entities and private industry organizations, the BreakPoint Labs Team has applied a risk-based cybersecurity assessment methodology to deliver value to its clients.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 5

BreakPoint Labs personnel are passionate about cybersecurity, as demonstrated by its wide array of industry-recognized certifications and significant contributions to the information security community as detailed in the proposal. BPL is well postured to partner with the City of Bryan, as engaged, capable, enthusiastic, and qualified collaborators who assist customers in addressing their most pressing security challenges. BPL appreciates the opportunity to engage in this worthwhile project in the identification of any flaws and/or vulnerabilities across the organizations infrastructure.

Customers Overview BreakPoint Labs personnel have significant experience in assisting a diverse customer base in vulnerability assessments, penetration testing, and network intrusion detection. Our security engineers specialize in performing penetration tests and security assessments for these organizations to help identify the potential impact an adversary could have. From this experience, BPL understands the challenges that organizations face, with a need for enhanced usability, a dynamic user base, and inherent protection of personal security data, while ultimately remaining secure. BPL security engineers practice a tailored, customized, and repeatable approach towards security assessments including how BPL identifies, classifies and prioritizes risks based upon the complexity of the organization’s infrastructure, size, and technology in use. BreakPoint Labs security engineers have worked with a large number of organizations, including entities across the Department of Defense (DoD), government, and private sectors.

● Broward County Local Government in Florida

● University of Texas at Dallas (UTD)

● University of Iowa (UI)

● University of Northern Iowa (UNI)

● Iowa State University (ISU)

● Maryland Auto Insurance (MAI)

● Messer Construction

● United States Military Academy (USMA)

● United States Air Force Academy (USAFA)

● United States Naval Academy (USNA)

● Naval Postgraduate School (NPS)

● Air Force Institute of Technology (AFIT)

● National Defense University (NDU)

● Massachusetts Institute of Technology (MIT) Lincoln Laboratory

● DoD High Performance Computing Modernization Program (HPCMP)

● U.S. Army Engineer Research and Development Center (ERDC)

● Defense Research and Engineering Network (DREN)

● US Army Core of Engineers (USACE)

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 6

Over the past three (3) years BPL security engineers have performed over one hundred security assessments, including variations of penetration testing and vulnerability enumeration. BPL security engineers have helped organizations identify exploitable vulnerabilities that would have had a negative business impact if compromised. Below are some of the highlights on how BPL security engineers have improved the security posture of its customers to include:

● Identified a critical SQL Injection (SQLi) vulnerability in an Internet-facing application that when exploited allowed an adversary to access all the clear-text usernames and passwords for the entire commercial company.

● Discovered custom vulnerabilities in DoD research and educational organizations that would have allowed for a complete compromise of the organization.

● Enumerated several unknown vulnerabilities in commercial applications in use by

DoD organizations and followed a responsible disclosure process to communicate findings with the vendors.

● Helped DoD research and educational organizations identify emerging high-impact

vulnerabilities (Shellshock, Heartbleed, etc.) by developing custom tools for use in their environment prior to release of checks in commercial scanning tools.

● Discovered a critical SMTP injection vulnerability for a DoD organization that would

have allowed for an attacker to send E-mails as anyone in the organization. The team leveraged Google hacking techniques to enumerate over 300 instances of the vulnerable code in use throughout the DoD.

• Enumerated flaws in technology features that allowed BPL security engineers to

expose over 70,000 records of Personally Identifiable Information (PII) including Social Security Numbers, Credit Card Information, etc. for

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 7

Qualifications BreakPoint Labs values higher education and has personnel that currently hold advanced degrees in Computer Security, Cybersecurity, Management of Information Systems, Business Administration, and Computer Science. BPL guarantees technically competent personnel who are highly certified, trained, and experienced to detect and counter emerging threats. BPL personnel hold numerous industry-recognized certifications, including but not limited to those listed in the following table:

Provider Certification International Information Systems Security Certification Consortium (ISC2)

Certified Information Systems Security Professional (CISSP)

Information Systems Audit and Control Association (ISACA)

Certified Information Security Manager (CISM)

Computing Technology Industry Association (CompTIA)

Network+, Security+, Linux+

Project Management Institute (PMI) Project Management Professional (PMP)

SANS Institute / Global Information Assurance Certification (GIAC)

GIAC Web Application Penetration Tester (GWAPT) GIAC Web Application Defender (GWEB) GIAC Security Essentials (GSEC) GIAC Penetration Tester (GPEN) GIAC Certified Intrusion Analyst (GCIA) GIAC Certified Incident Handler (GCIH) GIAC Industrial Cyber Security Professional (GICSP) GIAC Certified Forensic Analyst (GCFA) GIAC Reverse Engineering Malware (GREM)

EC-Council Certified Ethical Hacker (CEH) Certified Network Defense Architect (CNDA) EC Council Certified Security Analyst (ECSA)

Offensive Security Offensive Security Certified Expert (OSCE) Offensive Security Certified Professional (OSCP) Offensive Security Wireless Professional (OSWP)

Linux Professional Institute Linux Server Professional Certification (LPIC-1)

Microsoft Microsoft Certified Technology Specialist (MCTS) Microsoft Certified Professional (MCP)

Committee on National Security Standards / National Security Telecommunications and Information Systems Security Committee (NSTISSC)

4011 Information Systems Security (INFOSEC) Professionals 4012 Senior Systems Managers 4013 System Administrators (SA) 4014 Information Systems Security Officers 4015 Systems Certifiers 4016 Risk Analysts

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 8

Proposed Team and Related Experience BreakPoint Labs has identified and prepared a highly qualified and technically proficient workforce to deliver superior Penetration Testing and Security Assessment services to the City of Bryan. While the delivery of thorough cybersecurity services is paramount to BreakPoint Labs’ business, the best and brightest are made available to support the City of Bryan and their desired goals. During the assessment timeframe BPL may request that the City of Bryan staff assist the BPL proposed team with proper planning, authorization and access as necessary to complete the project. BreakPoint Labs has selected a technically proficient and proven project team for the City of Bryan, which includes over twenty-five (25) years combined experience performing both defensive and offensive security projects for a wide variety of customers. The proposed project team below will provide action to all the services requested and comply with all regulations and policies set forth by the City of Bryan.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 9

Andrew McNicol, CTO ● LinkedIn: https://www.linkedin.com/in/andrewmcnicol ● SANS Bio: https://www.sans.org/instructors/andrew-mcnicol ● SANS Certifications: https://www.giac.org/certified-

professional/andrew-mcnicol/127122

Andrew McNicol is driven by his passion for helping organizations identify exploitable vulnerabilities before an adversary. He is one of the founders and the CTO at BreakPoint Labs specializing in offensive security services, mentor for SANS, and one of the founders and lead authors of Primal Security. Previously, he led a penetration testing team and worked on an incident response team for DoD, Law Enforcement, and Commercial organizations.

Andrew holds an M.S. in Information Assurance, B.S. in Information Systems, and variety of technical Information Security qualifications (OSCE, OSCP, OSWP, GICSP, GCFA, GCIA, GCIH, GPEN, GREM, GSEC, GWAPT, GWEB, CISSP, CEH, etc.). Andrew is very active in the security community via conferences, blogging, podcasts, social meet ups, trainings, etc. He also enjoys helping others gain technical security skills by acting as a mentor for SANS penetration testing course.

Zachary Meyers, Project Manager & Senior Penetration Tester ● LinkedIn: https://www.linkedin.com/in/zacharyjmeyers ● SANS Certifications: https://www.giac.org/certified-

professional/zachary-meyers/138853 Zack Meyers is a motivated Information Security geek and Project Manager for BPL cyber security assessment services. He is a skilled and senior level penetration tester specializing in Web Application, Internal, ICS/SCADA, User Driven Testing and External Assessments. He is a member of Primal Security’s blog and podcast team and has been a public speaker at many cyber security conferences. Zack holds a Masters degree in Cyber and Information Security, as well as a bachelors degree in E-business and Marketing. He currently has several cyber security certifications including OSCP, CISSP, GPEN, GWAPT, GCIH, GICSP, CEH, Security +, etc. Matthew Murray, Senior Penetration Tester

● LinkedIn: https://www.linkedin.com/in/matthew-murray-63081114a Matthew Murray is a passionate and driven Information Security Geek for BPL cyber security assessment services. He is a skilled penetration tester who specializes in external and internal penetration testing. Matt has a Bachelor's degree in Information Technology and currently holds a variety of Information Security certifications, including CISSP, OSCP, and Security+.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 10

Michael Mitchem, Senior Penetration Tester ● LinkedIn: https://www.linkedin.com/in/michael-mitchem-oscp-oswp-ceh-

b16657a/

Michael Mitchem is a dedicated Information Security professional and Web Application Penetration Tester for BPL cyber security assessment services. He pulls from his 13+ years of technical experience as a senior network engineer, technical validator and cybersecurity technical team lead this role perform internal and external penetration testing in a precise and time-efficient manner. Michael currently holds several cybersecurity certifications including CEH, Security+, OSWP and OSCP. He is also has proficiency in BaSH and Python scripting languages as well as web and database technologies including HTML, PHP, and SQL. Lucas Hudson, Senior Penetration Tester

• LinkedIn: https://www.linkedin.com/in/3z57uff • SANS Certifications: https://www.giac.org/certified-

professional/lucashudson/132965

Luke Hudson is a security engineer who is enthusiastic about vulnerability enumeration and exploitation. He is a skilled and senior level penetration tester specializing in Web Application, Internal, ICS/SCADA, Wireless and External Assessments. Previously, he was a Subject Matter Expert (SME) for DoD’s vulnerability management project before moving to focus on penetration testing and offensive security. He is one of the founders and lead authors of Primal Security Podcast, focusing on creating information aimed at fellow security professionals. Luke currently holds a large variety of Information Security certifications, including OSCE, OSCP, OSWP, GISCP, GCFA, GPEN, GWAPT, GWEB, CISSP, CEH, etc.

Performance and Regulatory Authority Assurances BreakPoint Labs (BPL) can confirm, acknowledge and/or will abide to the following statements as requested:

• No performance related litigations exist for BPL currently or have been filed over the last five (5) years.

• No contracts have been terminated due to non-performance over the last five (5) years.

• No adverse actions have been sanctioned by any regulatory authorities over the last five (5) years.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 11

TAB B - Rates and Expenses

City of Bryan Penetration Testing & Security Assessment

Year 1 Year 2 Year 3 External Penetration Testing & Assessment (75 IPs)

$8,950 $8,055 $7,608

Internal Penetration Testing & Assessment (200 /24s & ICS testing included)

$29,300 $26,370 $24,905

Wireless Penetration Testing & Assessment (5 SSIDs)

$4,150 $3,735 $3,528

Application Penetration Testing & Assessment (15 applications)

$7,350 $6,615 $6,248

Client Side Penetration Testing & Assessment (Phishing 50 clients)

$7,350 $6,615 $6,248

Travel (3 Engineers): $4,500

$4,500 $4,500

Total Firm Fixed Price

$61,600.00 $55,890 $53,037

The pricing detailed above is a firm fixed price that will not exceed the quote given and will include all and any reimbursable expenses such as travel proposed in the timeline of the proposal. BPL is open to negotiate its proposed cost if City of Bryan decides negotiation is appropriate. We understand that you are the customer and we are ultimately here to make sure that you are satisfied with our services. This why we don’t expect any payment upfront until our job is completed to your satisfaction and a final report is delivered to you. The total amount agreed upon in the initial contract will be due within 30 days of the delivery of the final report.

Rates and Expenses Assurances BreakPoint Labs (BPL) can confirm, acknowledge and/or will abide to the following statements as requested:

• The total firm fixed price detailed above includes the travel, per diem expenses, printing, video conferences, and other incidental expenses for the firm.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 12

• BreakPoint Labs shall incur no travel or related expenses chargeable to the City without prior approval by an authorized City representative.

• Related expenses chargeable to the City, such as supplies, printing, binders, etc. shall be passed through at BPLs cost. Related expenses shall not include postage, copies, telephone toll charges, or other charges incurred in the normal course of business and shall not be charged.

• BreakPoint Labs acknowledges that any expenses not specifically listed will not be considered reimbursable.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 13

TAB C - Project Timeline An initial project management meeting (kick off call) will be held prior to the start of the assessment to capture and ensure quality in our services while discussing the scope of work, desired outcome, and rules of engagement for the City of Bryan penetration test. Once the assessment has begun, BPL security engineers can provide the City of Bryan appointed contacts progress reports when key decision points are achieved or even daily communication in the form of email updates during the duration of the assessment if desired by the City of Bryan. Often, BPL progress reports and communication of this kind will include any outstanding issues, accomplishments, on-going activities, and upcoming actions across the project. In addition, an end of the week project call can be provided to communicate progress including status and milestones, as well as early identification of any risks or challenges associated with the project. BPLs penetration testing project plan approach takes an external and internal attacker perspective while reviewing designated systems. Working with the City of Bryan to understand their desired goals and determine the impact an adversary could do to the organization as a result of the current attack surface. BreakPoint Labs security engineers will provide an in-depth security assessment for the organization with the added value of going beyond an automated scan via manual testing techniques to identify security vulnerabilities and misconfigurations. If any critical or high-risk vulnerabilities are uncovered during the assessment, BPL security engineers will provide a detailed write up and notify the designated City of Bryan point of contact(s). This communication will be provided along with any additional information or insight that the City of Bryan may require. BPL proposes an approximately three to four (3-4) week assessment timeframe, which allows adequate time to conduct in-depth penetration testing with both automated and manual testing techniques to enumerate security risks for the City of Bryan. The Project timeline and milestones chart below illustrates the proposed project plan in more detail, to include an additional week for reporting and analysis upon completion of testing . The milestones are represented in the chart below and the follow-on actions and milestones within the timeline will not be completed until the prior activity is completed. The project plan and assessment timeline are open to discussion with the City of Bryan upon award:

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 14

Note: For a larger reference of the proposed timeline and milestones please Appendix A. Below is a proposed timeline of events:

• Kick-Off Meeting: TBD • Active Testing (3-4 Weeks): TBD

o External Reconnaissance and Penetration testing of ~75 Internet Facing Services (week one)

o Internal Network Reconnaissance and Mapping through the VPN or remote solution (week one)

o Application Reconnaissance and Mapping through the VPN or remote solution (week one)

o Client Side Penetration Testing – Phishing Campaign crafted and sent to ~50 recipients (week one)

o Internal Penetration Testing through the VPN or remote solution (week two & three)

o Application Penetration Testing through the VPN or remote solution (week two & three)

o Internal ICS Testing on site (week three) o Wireless Penetration Testing on site (week three)

• Data Collection, Analysis and Assessment Reporting (1 Week): TBD for Report Delivery

o Out brief Presentation and Discussion Post Assessment (~1 hour call): TBD • Ongoing Remediation Testing On-Demand Post Reporting: TBD

Note: This is a proposed timeframe. The bulk of the work can be completed within approximately three to four (3-4) weeks. BPL can support the project in the upcoming months pending the desired start date once discussed and agreed upon.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 15

TAB D - Methodology and Technical Approach

1.0 Why Choose BreakPoint Labs (BPL)? One of the goals at BreakPoint Labs is to “Break the Cycle”, which means providing high-end security services using extremely dedicated personnel to deliver impactful and lasting improvements to the overall security. The cybersecurity industry has a focus on “running tools” or “completing a checklist” and relying solely on these methods will result in missed vulnerabilities that could lead to a complete compromise. BPL security engineers adapt an attacker mindset to creatively think like the adversary to misuse technology in creative ways that existing scanning tools would miss. To properly conduct a security assessment, you need a methodology beyond “scan the CIDR range with XYZ tool.” BPL understands this and has adopted a comprehensive risk-based approach, which is detailed further in section 2.0.

One of the core values when performing security assessments is to go beyond automated tools. This mindset has led to BPL security engineers to be invited to speak at various technical and user conferences: BSides CHARM, Bsides Philly, Bsides DC, Bsides Jackson, Bsides NOVA, and RVAsec. BPL believes anyone can click the “scan” button on tools, but very few can actually approach the technology the same way an attacker would to find critical risk vulnerabilities. In the upcoming sections below BPL expands upon it’s methodologies for each requested service area and how our team goes beyond automated tools to identify security vulnerabilities, flaws and misconfigurations.

Another way BPL differentiates itself from its competitors is by taking time to understand the customer's business, from a functional perspective. BPL understands that based on an organization’s priorities on confidentiality, data integrity, and availability differently from other or notional business practices. BPL has customers that simply cannot tolerate to have their systems go offline for any amount of time. Accordingly, BPL ranks findings differently and tailors its remediation advice to help them achieve their goal. BPL understands that every organization is different and that a specific vulnerability may impact different in different ways. BPL takes the time to understand your business to provide a superior service.

When you receive a penetration test and security assessment from BreakPoint Labs, you are not getting the output from an automated tool such as Nessus or a Burp Suite Scan, you are getting a tailored report that fits your organization by motivated, dedicated, and experienced security engineers. BPL takes pride in the fact that the report is not simply delivered off to a company and moving on to the next. The security engineers at BPL can provide additional training and support to City of Bryan after performing the assessment. BPL wants to help an organization understand what was performed and identified to enhance City of Bryan’s security posture and understanding. An example of this support would be that several of its customers run Nessus scans for vulnerability management, but do not address web applications with other tools. For proper vulnerability management additional scanning tools need to be leveraged for web technologies. BPL security

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 16

engineers can help the City of Bryans IT and security team understand options for ongoing vulnerability management activities that leverage free and open source technologies.

BPL security engineers have a passion for performing this work that will transfer to the City of Bryan as a high-quality service, and can be can relied on to solve tough security problems now and in the future. BreakPoint Labs accepts full responsibility of all the penetration testing and security assessment services requested. BreakPoint Labs only requests that the City provides assistance and guidance with the pre-assessment planning and access to the City’s scoped environments as necessary for the BPL team to perform the security testing.

2.0 BPL's Security Assessment Methodology - A Risk Based Approach

BreakPoint Labs has focused on employing a repeatable, risk-based methodology that leverages best practices derived from industry standards, such as the Penetration Testing Execution Standard (PTES), and the Open Web Application Security Project (OWASP) Online Testing Guide (OTG). BPL prides itself on going beyond automated testing through the use of in-depth manual testing techniques. The focus on manual testing allows BreakPoint Labs to remove false positives, and finding vulnerabilities missed by running automated vulnerability scanning tools.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 17

3.0 External Penetration Testing and Vulnerability Assessments – Our Approach

During an External Penetration Test, BreakPoint Labs will emulate the presence of an adversary trying to attack the organization externally. BPL will evaluate the scoped external systems and services for the target organization utilizing the following methodology:

1. Scoping 2. Reconnaissance: Discovery 3. Automated Testing: Enumeration 4. Manual Testing 5. Exploitation (If in Scope) 6. Reporting and Analysis 7. Remediation Support

Key Objectives

Enumeration of the City of Bryan's scoped external technology footprint and evaluate the Internet facing services and current controls to identify exploitable vulnerabilities.

Attempt to exploit any vulnerabilities, flaws or misconfigurations discovered within the defined Internet facing infrastructure.

Enumerate any security concerns related to current attack surface of to the scoped systems.

The external penetration test will evaluate the security controls put in place for the Internet facing infrastructure under the City of Bryans request. BPL security engineers will enumerate vulnerabilities related to all remotely accessible systems that reside in to the City of Bryan scoped systems or are otherwise providing a service to the Internet.

3.1 Scoping Prior to the assessment, it is important to have an initial discussion to identify the goals that to the City of Bryan hopes to achieve. Having an understanding of to the City of Bryan priorities and desired outcomes will strengthen the overall value of the work performed. During this initial discussion, BPL requests that critical information be provided to facilitate communication, determine if the testing to be performed is appropriate in the given scenario, and obtain formal authorization for all activities to be performed external to the network during this phase of the assessment.

3.2 Reconnaissance: Discovery The goal of Reconnaissance is to enumerate the external footprint of services and systems related to the City of Bryan using various techniques such as the use of: Shodan, Nmap, Search engine exposure, domain registrant information, DNS, 3rd party site exposure, and other Open Source Intelligence (OSINT) tools. BPL can then map the externally accessible services on each system and identify vulnerabilities associated with them. This is critical

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 18

because it can identify assets and/or content that may be unknown to the City of Bryan staff. BPL wants to assure to the City of Bryan that as a partner, it is highly confident in the identification of publicly available assets and potentially vulnerable services.

3.3 Automated Testing: Enumeration BPL will utilize various commercial and open source tools to evaluate the security posture of the external services identified during the Reconnaissance phase. Automated scanners will often find common vulnerabilities and flaws within applications based on a series of signatures or checks built into their scans. One common false positive with automated tools is identifying SQL Injection (SQLi) based upon the string “error” being present in the response from a request. This can cause a large number of false positives, and also be something that can be difficult to enumerate using fully automated means. In instances like this the team leverages manual testing to validate the findings and enumerate vulnerabilities that have been missed.

3.4 Manual Testing: BPL prides itself on identifying vulnerabilities that automated tools will often miss and going beyond common vulnerabilities to discover others that are often not evaluated. BPL believes in leveraging automated tool findings as a component of manual testing, but never as the final solution to assessments findings. BPL believes in reducing false positives by leveraging a web proxy tools (Burp Suite Professional) and Python to evaluate the external services in an attempt to abuse available application or system features. During this phase, BPL conducts more aggressive and in-depth testing to find vulnerabilities missed by automated tools.

A recent report from the Department of Homeland Security (DHS) National Cybersecurity Assessment and Technical Services (NCATS) team stated that 67% of high impact vulnerabilities required manual testing to enumerate. BPL fully agrees with DHS and feels that manual testing is pivotal to find the vulnerabilities commonly missed by automated testing and tools.

4.0 Internal Penetration Testing – Our Approach During the Internal Penetration Test, BreakPoint Labs will follow a similar methodology as external testing, adjusted appropriately for the nature of internal systems. BPL will attempt to emulate the presence of an adversary with inside access, or a malicious insider attempting to attack the organization. BPL will evaluate the security posture of all the internal scoped systems and services, as well the level of network access to resources and systems for to the City of Bryan utilizing the following methodology:

1. Scoping 2. Reconnaissance: Discovery 3. Automated Testing: Enumeration 4. Manual Testing 5. Exploitation (If in Scope) 6. Reporting and Analysis 7. Remediation Support

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 19

BPL will first strive to gain access to legitimate accounts using various techniques, such as LAN protocol manipulation, SMB/Samba enumeration, Exploitation, Privilege Escalation, and various other techniques. If legitimate access is not gained during the assessment, to the City of Bryan can provide testing credentials to see how far a compromised user account could pivot into scoped the network if desired.

Key Objectives

Identify vulnerabilities on internal devices that were accessed from the External assessment.

Scan and map the scoped City of Bryan internal network infrastructure to identify vulnerabilities.

Attempt to gain elevated privileges (root/administrative level access) to systems. Attempt to bypass system controls to obtain unauthorized access to data and/or

systems within the City of Bryan scoped defined.

4.1 Scoping Prior to the assessment, it is important to have an initial discussion to identify the goals that to the City of Bryan attempts to achieve. Once knowing the City of Bryan's priorities and desired outcomes will strengthen the overall value of the work performed. During this initial discussion, BPL requests that critical information be provided to facilitate communication, determine if the testing to be performed is appropriate in the given scenario, and obtain formal authorization for all activities to be performed prior to execution.

4.2 Reconnaissance: Discovery This phase will be dedicated to identifying the internal footprint of services and systems in scope utilizing various techniques such as Nmap, ARP traffic, Nessus, Custom tools, etc. BPL will then map the internally accessible services on each identified and identify any vulnerabilities associated with them. This is a critical phase as it allows the assessment team to properly validate that the tested systems are within scope.

4.3 Automated Testing: Enumeration BPL will utilize various commercial and open source tools to evaluate the security posture of the services and systems identified during the reconnaissance phase. Automated scanners will often find common vulnerabilities and flaws within applications based on a serious of signatures and/or checks built into the scans. This can cause a large number of false positives, and is something that is extremely difficult to properly enumerate using only automated means. This phase generally leads into manual testing to validate findings and enumerate any additional vulnerabilities that may have been missed.

4.4 Manual Testing BPL puts forth a great deal of effort in focusing on identifying vulnerabilities that automated tools will generally miss, and strive to go beyond common vulnerabilities to discover what is overlooked. Leveraging an automated tool is a useful component of manual testing, but should never be considered the final solution in terms of an

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 20

assessment's findings. Hands on service interaction, custom tools, and additional exploitation tools are utilized to reduce false positives and learn the true risk of a system feature, service or application.

5.0 Wireless Network Penetration Testing BPL utilizes the Penetration Testing Execution Standard (PTES) as a foundation for wireless assessment methodologies in an attempt to simulate real-world attacks, providing an accurate depiction of the vulnerabilities and threats to the organization’s wireless network infrastructure. The BPL wireless assessment methodology provides an understanding of the risks posed to the organization from the perspective of an attacker and is not limited to automated testing. The methodologies utilized include the following components:

Identifying the customer’s wireless presence and infrastructure. Analyze the gathered data to create a plan of attack tailored to the organization and

their specific business risks. Attempt to crack the passwords for any discovered network in scope, or attempt to

successfully brute force authenticate to the networks in scope. Identify if proper network segmentation exists while connected to the wireless

access points.

BPL will evaluate all documented wireless networks and access points, and attempt to locate and evaluate any undocumented hotspots or access points. This process includes enumerating any WEP/WPA/WPA2 access points that are in use within geographical range of the customer organization, as well as determining if proper hardening methodologies have been implemented. Additional hardware will be utilized to perform wireless auditing and man in the middle attacks by impersonating existing access points and intercepting current connections.

6.0 SCADA and Industrial Control System (ICS) Testing BPL understands the potential impact of performing security testing on critical infrastructure and plans to take the appropriate action to identify risk without negatively impacting systems. An example of this is when the team performs testing of SCADA systems and relies on passive and manual techniques vs. automated testing (scanning tools). In our experience, performing active / automated testing against SCADA and ICS systems can result in negative impact to that system and the critical processes they are supporting. Our approach leans more on experience vs. automated scanning tool logic, allowing us to enumerate flaws in SCADA and ICS systems and not negatively impact them like scanning tools. Some examples of this could be identifying unprotected / unknown services, default credentials, and configurations, and insecure protocols in use without proper segmentation. As with all of our security testing BPL engineers follow industry best practices (Framework for Improving Critical Infrastructure by NIST), and leverage skilled engineers to make educated decisions while assessing these critical systems in the engagement. Our engineers come from a background supporting DoD critical infrastructure

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 21

and have validated that knowledge and experience by obtaining the Global Industrial Cyber Security Professional (GICSP) certification by SANS and GIAC.

7.0 Client-Side Penetration testing

7.1 Spear Phishing Campaign A well crafted spear phishing attack can lead to a large amount of system compromise(s). Threat actors leverage spear phishing campaigns heavily to establish a position within the network leading to further bypassing the organization's detection and protective measures. Once successful this attack can lead an adversary to the exposure of an organization's internal resources all due to an end users interaction with a malicious email or attachment being accessed. The BPL security engineers can emulate this activity to help identify risk and train users. Target emails can be identified and scoped, or can be enumerated using reconnaissance techniques (Emails listed on websites, online profiles, etc.). To conduct a spear phishing campaign the BPL security engineers normally clone a site that is related to the target organization. For example, the main City of Bryan web site (www.bryantx.gov) can be cloned and hosted at a similar domain (www.bryantxgov.org). The site would be completely identical in look feel, and functionality, but could also be leveraged to accomplish different tasks depending upon the campaign. Spear phishing campaigns can be customized to accomplish different goals. There are three main types of campaigns:

1. Determine who clicked the link or opened the document.

2. Attempt to trick users into authenticating to a fake system.

3. Attempt to perform client-side exploitation to execute code on the user's system.

Option 1 is commonly used for stand-alone spear phishing campaigns to increase security awareness. Whereas options 2, and 3 are often leveraged as part of a larger overall assessment that includes external and internal testing methodologies.

8.0 Application Penetration Testing During an Application penetration test, The BPL security engineers will emulate the presence of an adversary or malicious user trying to abuse application features and capabilities. Often an application penetration test will be tailored towards a subset of applications, IPs, and/or domains to evaluate the security posture from the defined scopes attack surface. The BPL security engineers will evaluate all of the applications features and services to identify potential vulnerabilities that could lead to exploitation. Our methodology and process with application penetration testing is similar to our external penetration test(s) and vulnerability assessment(s) addressed earlier in (Section 3.0).

8.1 Application Automated and Manual Testing The BPL team has experience testing applications in an automated and manual approach to identify known vulnerabilities and potential risks within the mapped applications contents.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 22

The BPL team will also provide a manual review of an automated testing tools or output to ensure that false positives are non-existent within the final report of findings. Lastly the application manual testing security review will provide the organization with not only the identification of previously unknown vulnerabilities but a clear picture of what an attacker could abuse or misuse from legitimate application features and/or functionalities.

8.2 Credentialed Application Penetration Testing If the City of Bryan chooses to provide the BPL team with credentials to application(s) in scope then an in-depth review of post authentication content can also be reviewed. By providing access to system(s) at a credentialed level the BPL team will determine if any additional risk and vulnerabilities are possible after authentication has occurred to the application typically for legitimate users. Many unknown vulnerabilities and exploits exist within applications once authenticated, often due to the narrow scope of authorized users only being permitted to access this content.

Application Penetration Testing Key Outcomes & Benefits Improving the City of Bryans application security as we will identify important

security risks and vulnerabilities including but not limited to the OWASP Top 10

(SQLi, XSS, etc.)

Provide guidance and testing of remediation(s) put into place from the identified

security risks.

Identifying threats and solutions to meet current regulations, standards and

compliance(s).

9.0 Reporting and Analysis BreakPoint Labs personnel will provide a comprehensive report(s) that provides detailed information for every vulnerability, expressly articulates the business risk associated with each vulnerability, and provide recommendations for remediation actions. All critical severity vulnerabilities will be reported immediately to the agreed upon City of Bryan POC’s. BPL will deliver a comprehensive report(s) to the City of Bryan (below) and/or offer sample reports that may provide better or additional ways to displaying or interpreting vulnerability findings. Topic areas will include, as a minimum:

1. A detailed description of the service provider’s approach and methodology process (including tools used, scripts followed, date and time that each test was performed).

2. The test description and corresponding results – all identified vulnerabilities must

be clearly stated and risk ranked.

3. Implications of the test results, including risk factors.

4. Recommendations for resolving negative test results.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 23

5. Summary of informational objects that can be accessed from sources external to the network.

6. Regardless of the test result, recommendations for further improvements and/or

implementations for best practice strategies.

The analysis process employed by BPL takes into account and ensures an understanding of the impact vulnerabilities can have for the specific business or organization. Organizations often put more focus on confidentiality, whereas others focus more heavily on the availability of their systems. BPLs analysis process also considers how vulnerabilities can relate; such as combining several low and informational findings to expose a critical risk to the organization.

9.1 Remediation Testing and Support After the deliverables of the work are received and reviewed by to the City of Bryan, the BPL team can provide additional remediation support if agreed upon with your organization. Upon request, BPL will also provide a presentation summarizing any vulnerability findings to ensure that report findings are fully understood and answer any unresolved questions related to the findings. Finally, BPL can provide a mitigation review and further testing of vulnerability findings once deemed resolved by to the City of Bryan to ensure remediation and/or mitigation implementation is successful.

10.0 Data Security All BreakPoint Labs security engineers have been granted a DoD Top Secret (TS) security clearance with full background investigations. All of BPLs personnel are currently cleared and undergo regularly scheduled periodic reinvestigations. BreakPoint Labs security engineers have extensive experience in both unclassified and classified environments, and have been trusted with highly sensitive information on DoD Sensitive Compartmented Information (SCI) programs.

BreakPoint Labs security engineers understand the need for data security and take it very seriously when working with customer organizations. Whether BreakPoint Labs security engineers are working with the DoD, a commercial company, or any institution, data security and privacy are of paramount importance.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 24

10.1 Tools Leveraged

BPL security engineers evaluate technology features with an “Attacker Mindset” to creatively misuse technology like a motivated and skilled adversary. We use a combination of tools and techniques including but not limited to the following:

Burp Suite Pro Acunetix Cobalt Strike Nessus Nmap Masscan EyeWitness Netcat Maltego Shodan Censys Recon-ng Metasploit SQLMap Whatweb Wappalyzer

John The Ripper OCLHashcat Mimikatz Patator BeEF Cain SET SSLScan WPScan CMSexplorer Joomscan Sparty Nikto Firebug RainbowCrack CudaHashCat

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 25

10.2 Assurances and Warrants BPL believes that it is important to emphasize that assurance is a core competency throughout every step of its assessment methodology. The BPL team demonstrates this ability through accomplishing its security objectives not only for your organization but for its own practices as well. Below are a several examples of assurances that BPL stands by as company in providing services to the organization.

Excellent Communication and Documentation of Results – All customer

questions and concerns will be addressed in a timely manner and detailed findings are explained in final report(s).

Safeguards in Place to Protect Our Infrastructure – BPL operates from its

own secure infrastructure and execute operations upon the confidentiality agreement, and NDA between BPL and to the City of Bryan.

Procedures to Avoid Negative System Impact – BPL will agree upon the

timeline, scope and types of testing to avoid negative impacts to the organization during the assessment process.

Conducting Thorough Assessments with Current Tools and Techniques –

BPL personnel utilize current tools, techniques, and procedures that threat actors commonly leverage to identify vulnerabilities and flaws in the organization’s security.

Feedback Through Quality Assurance – BPL encourages customer feedback

and requests a satisfaction survey to be completed to ensure that its services meet your expectations of a quality assessment.

Compliance, Warrants, Agreements and Acknowledgements – BreakPoint

Labs agrees, warrants, complies with and/or acknowledges all legal and stipulated requirements, detailed in the to the City of Bryan Solicitation.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 26

10.3 BPL Goes Beyond Automated Tools All too often security assessments become a race to complete vulnerability scans and rush the data into a report. This type of testing provides little value to the target organization because they are often left with a mountain of false positives, and the risk is not properly classified for the environment. BreakPoint Labs security engineers are passionate about going beyond automated tool output to properly classify risk for the target organization. In-depth manual testing helps remove false positives, but may also find what automated tools commonly miss. BPLs cybersecurity professionals and security engineers are excited to change others’ mindset of relying explicitly on automated processes and have spoken at several industry conferences on how to go beyond automated tools and testing: https://breakpoint-labs.com/beyond-automated-tools/

10.4 BPL Finds Vulnerabilities and Bad Guys

A security assessment is often focused on finding vulnerabilities that introduce risk into an organization, but what happens if your company is already compromised? BreakPoint Labs sees this is as a potentially high risk to an organization and works not only to identify vulnerabilities, but also to determine if the system(s) have already been compromised. As data is analyzed for potential exposure and vulnerabilities, BPL is conscientious of maintaining situational awareness for any signs of compromise.

BPL also offers the ability to analyze network traffic during the course of the assessment. Monitoring network traffic allows BPL security engineers to help its customer enumerate potentially compromised systems.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 27

TAB E - References We invite you to talk with our clients for confirmation of the quality and value of the services we provide.

1) DoD High Performance Computing Modernization Program (HPCMP) Point of Contact: Krisa Rowland, Associate Director for Security at DoD HPCMP Phone: 601-634-2493 Address: 10501 Furnace Road, Lorton, VA 22079

Email: [email protected]

Services Provided: External Vulnerability Assessments, Network Vulnerability Assessments, Web Application Testing, Network Intrusion Detection, Penetration Testing, Social Engineering (User Driven), and Physical Security Review.

2) Broward County Board of County Commissioners Point of Contact: Ryan Buenaventura, Information Systems Manager Phone: 954-357-8574 Address: 115 S. Andrews Ave. Room 212, Ft. Lauderdale, FL 33301 Email: [email protected] Services Provided: Web Application Testing, Social Engineering (User Driven), Penetration Testing, External Vulnerability Assessments.

3) Maryland Auto Insurance (MAI) Point of Contact: Matt Ailstock, IT Systems Manager Phone: 667-210-5129 Address: 1215 East Fort Ave. Suite 300 Baltimore, MD 21230 Email: [email protected] Services Provided: External Vulnerability Assessments, Network Vulnerability Assessments, Web Application Testing, Social Engineering (User Driven), Penetration Testing, Physical Security Review, and Policy & Processes Review.

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 28

TAB F - Certification Page BreakPoint Labs acknowledges any Addenda issued by the City of Bryan in regards to this solicitation and is willing to sign the City’s Standard Form of Agreement.

RFP #19-017 - Page 18 of 27

CERTIFICATION AND AUTHORIZATION CERTIFICATION and AUTHORIZATION: The undersigned certifies that he has fully read RFP #19-017 and understands this "Request for Proposal" and has full knowledge of the scope, quantity, and quality of the services to be furnished and intends to adhere to the provisions described herein. The undersigned also affirms that they are duly authorized to submit this proposal, that this proposal has not been prepared in collusion with any other Vendor, and that the contents of this proposal have not been communicated to any other Vendor prior to the official opening of this proposal. Additionally, the undersigned affirms that the firm is willing to sign the enclosed Exhibit A, Standard Form of Agreement Contract. By signing below, the FIRM certifies that neither the signatory, nor any co-owner of the FIRM, is related to a member of the City Council of the City of Bryan within the third degree of consanguinity (blood) or within the second degree of affinity (marriage). Signed By: _________________________________ Title: Typed Name: _______________________ Company Name: Phone No.: ______________________________ Fax No.: Email: Bid Address:

P.O. Box or Street City State Zip Order Address:

P.O. Box or Street City State Zip Remit Address:

P.O. Box or Street City State Zip Federal Tax ID No.: _____________________________ Date: END OF RFP #19-017

CTO
Andrew McNicol
BreakPoint Labs
443-223-0482
8116 Arlington BLVD #255Falls Church VA 22027
02/05/2019
47-4581296

City of Bryan, Texas

RFP #19-017 - Penetration Testing & Security Assessment

Use or disclosure of data is subject to the restriction on the cover page of this proposal.

2/08/2019 29

Appendix A – Proposed Timeline & Milestones