September 3, 2015
Submitted By: Carlos Henley DynTek Services, Inc.
2260 Wednesday St. , Suite 600 Tallahassee, FL 32308 Phone: (850) 219-7911 Fax: (850) 219-7919 www.dyntek.com
Department of
Management Services
Request for Information
Cyber-Security
Assessment, Remediation,
and Identity Protection,
Monitoring, and
Restoration Services
DynTek Services, Inc. 2
Request for Information 9/3/2015
Contents
INTRODUCTION ... 3 BACKGROUND ... 3 CONTACT INFORMATION ... 4 RESPONSE TO SECTION IV ... 4 Pre-Incident Services ... 5A) Incident Response Agreements ... 5
B) Assessments ... 5
Standards Based Information Risk Assessments ... 5
Cyber Security Testing ... 7
C) Preparation ... 8
Consulting on Information Assurance Issues ... 8
D) Developing Cyber-Security Incident Response Plans ... 9
E) Training ... 11
Information Security Training ... 11
Post-Incident Services ... 12
A) Breach Services Toll-free Hotline ... 12
B) Investigate/Clean-up ... 12
C) Incident Response ... 13
Cyber Incident Response ... 13
D) Mitigation Plans ... 13
DynTek Services, Inc. 3
Request for Information 9/3/2015
I
NTRODUCTIONWith over 20 years of experience, DynTek Services, Inc. (DynTek) is a premier provider of technology and management solutions to commercial firms, state government and local
government sectors. Our comprehensive security solutions incorporate our full range of services. DynTek plans and implements strategic projects and creates and maintains systems for a wide range of platforms and architectures. DynTek has a history of providing the vertical markets of Financial, Healthcare, Manufacturing and government agencies with technology-based tools and solutions to secure their systems from internal and external security threats.
B
ACKGROUNDDynTek’s assessment process is based upon industry standard methodologies and best practices, as well as years of actual application assessment experience. The result is a highly structured methodology and assessment process that can be uniformly deployed across all organizations. An effective information security program is based on people, processes, and technology. It is our belief that simply throwing money at technology does not guarantee a sound security program. For that reason, successful information security programs require the thoughtful integration of people and processes into a sound technical architecture. The trilogy of people, process, and technology is ingrained in our people and in the solutions or work-products that we deliver.
DynTek has been a vendor for State and Local customers in Florida and maintained a local office since 1996. Our office is located at:
DynTek Services, Inc.
2260 Wednesday Street, Suite 600 Tallahassee, FL 32308
Phone: 850-219-7917 Fax: 850-219-7919 Tax ID: 13-4067484
DynTek maintains Federal GSA Schedule #GS-35F-0025N. DynTek also maintains state contracts in Florida, California, Nevada, New Jersey, and New York. Please visit our website at www.dyntek.com to view all government contracts.
DynTek Services, Inc. 4
Request for Information 9/3/2015
C
ONTACTI
NFORMATIONCarlos Henley
DynTek Services, Inc. Senior Account Manager Phone: (850) 219-7911
Email: carlos.henley@dyntek.com
R
ESPONSE TOS
ECTIONIV
DynTek is able to provide: EXPERTISE
Understanding Cyberspace and Cybersecurity
Identifying and investigating contemporary threats involving cyberspace Anticipating the convergence of cybersecurity and the physical world Articulating risk issues related to cyberspace and cybersecurity
Crafting custom solutions to the challenges of cyberspace and cybersecurity
DynTek delivers:
Preventative Solutions
Standards Based Information Risk Assessments Cyber Security Testing
Information Security Training
Detective Solutions
Cybersecurity Analytics & Alerting Technical Surveillance Countermeasures Business Forensics
Corrective Solutions
Consulting on Information Assurance Issues Cyber Incident Response
IT Audit Advocacy
Cybersecurity Consulting Services
Consulting On Cyber & Physical Risk Management Issues Assessing People and Business Security Risk
Communications Security, Systems Security Testing Operations Security, Wireless Network Assessments Risk Assessments, Third Party, Vendor
DynTek Services, Inc. 5
Request for Information 9/3/2015
Physical and Environmental Security Supply Chain Security Consulting
Strategic Security Planning & Facilitation
Pre-Incident Services
A) Incident Response Agreements
Terms and conditions in place ahead of time to allow for quicker response in the event of a cyber-security incident.
DynTek can provide for a number of terms and conditions to be in place prior to any cyber-security event including an initial retainer Incident Response Activities On-Demand and for organizing activities necessary to prepare in advance for management and handling of incident response requires the consideration of a lifecycle approach composed of serial phases
(Preparation, Identification, Containment, Eradication, Recovery, and Follow-Up) and of ongoing parallel activities (Analysis, Communication, and Documentation).
Establishing a bank of hours or a retainer relative to pre-planning services in the event of a significant incident that required information/cyber security resources and expertise to augment
the State of Florida from an incident response plan should incorporate an initial determination of the target organizations Information Security Incident Response Capability, Dependencies within the Organization and an Incident Response Team Structure to include the designation of an Incident Response Point of Contact and Emergency Communications Protocol.
B) Assessments
Evaluate a State Agency’s current state of information security and cyber-security incident response capability.
Evaluation of the agencies current state and capability to respond to cyber-security incident is one of the core tenants of DynTek’s offerings and capabilities. Below are some samples of what we examine and the depth of what can be examined. This evaluation is one of the more important elements of the development of a security program. The Information Risk Assessment is directly related to the client’s needs and information security program.
Information Risk Assessments set the stage for establishing the Information Technology ‘Big Picture’. Our Information Risk Assessment process is built around an ISO 17799/27001 based framework, and controls are customized according to business needs (Health Insurance Portability and Accountability Act of 1996 (HIPAA), Federal Information Security Management Act of 2002
(FISMA), Financial Services - FEDERAL FINANCIAL INSTITUTIONS EXAMINATION
COUNCIL (FFIEC) & Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability
DynTek Services, Inc. 6
Request for Information 9/3/2015
Card Industry Data Security Standard (PCI DSS). Our inquiry will include every aspect of your organization: People, Process, and Technology. .
TYPES OF ASSESSMENTS
PURPOSE/TYPE PROCESS DESCRIPTION
INFORMATION RISK ASSESSMENT for
PROGRAM DEVELOPMENT
Information Risk Assessment consisting of 11 Information
Security Management Controls and 132
sub-components
INFORMATION RISK
DOCUMENT REVIEW
Analysis of client completed
DynTek Information Risk Questionnaire and requested
supplemental documents provided by client
INFORMATION RISK
GAP ANALYSIS
(Existing Cybersecurity Program)
Information Risk Gap Analysis consisting of 11
Information Security Management Controls and 42 sub-components
DynTek Services, Inc. 7
Request for Information 9/3/2015
Cyber Security Testing
DynTek Cyber Security Testing is a ‘hands on’ effort in which Test Operators attempt
to circumvent security features of a system or network based on their understanding of the technical design and implementation. The purpose of a penetration test is to identify methods for gaining access to a system or network by using common attacker tools and techniques. Accordingly, in order to conduct a penetration test, the operator must first conduct a vulnerability assessment in order to determine exploitable targets.
*Pricing will vary dependent on size of target environment and the persistence requested for penetration testing (time to break). Consequently, we often scope and price testing engagements on a flat rate per day once we are able to gauge the size of the target environment.
EXTERNALNETWORK ASSESSMENT
Targets: Internet facing systems and devices
Attack Parameters: May include both automated and manual attacks; Will usually NOT include exploitation of any identified vulnerabilities;
Password cracking usually in the scope
Restrictions: Attack(s) usually limited to non-business hours
Time to Complete: Dependent on target size according to Internet Protocol (IP) addresses
INTERNAL NETWORK ASSESSMENT
Targets: Internal network devices, not limited to domain controllers,
infrastructure services (WINS/DHCP/DNS), servers, workstations, printers and network devices
Optional: Configuration review of the firewall and internal
Attack Parameters: Unobtrusive system vulnerability scans may occur during business hours; Caution: potential for interruption of critical business systems Restrictions: Internal network assessment will be conducted on-site
Will not include mainframe systems
May include both automated and manual attacks; but will not usually include exploitation of any identified vulnerabilities; password cracking is usually in the scope
Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses
WIRELESS ASSESSMENT
Targets: Organization -Campus -Specific Building -or Facility
DynTek Services, Inc. 8
Request for Information 9/3/2015
Rogue wireless device detection; penetration testing, password cracking usually in the scope
Restrictions: Wireless security risk assessment usually limited to 802.11 technologies
Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses
SOCIAL ENGINEERING
Attempt to bypass security controls in order to gain access to sensitive areas or information
Targets: Individual - Organization – Campus - Specific Building - or Facility Attack Parameters: May include physical access, telephone, and
email/phishing
Restrictions: Attack may be performed any time
Time to Complete: Dependent on target size and client needs APPLICATION PEN TEST
Targets: Web-based production application, Internet facing IP address Attack Parameters: May include both automated and manual attacks May include attempts to gain access through social engineering
Restrictions: Will usually not include exploitation of any identified vulnerabilities Password cracking is usually in the scope
Will not include a code review
SOURCE CODE SECURITY REVIEW
The goal of an application source code security review is to recognize software vulnerabilities that might be exploited if access were gained.
C) Preparation
Provide guidance on requirements and best practices.
In addition to the content described in the response above, DynTek can provide Consulting on Information Assurance Issues that would include requirements and best practices for the following
Security Policy
Organization of Security Asset Management
DynTek Services, Inc. 9
Request for Information 9/3/2015
Human Resources Security
Physical and Environmental Security
Communications and Operations Management Access Control
Info Systems Acquisition, Development and Maintenance Information Security Incident Management
Business Continuity Management Compliance
D) Developing Cyber-Security Incident Response Plans
Develop or assist in development of written State Agency plans for incident response in the event of a cyber-security incident.
The incident response process has several phases. The initial phase involves establishing and training an incident response team and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur in selecting and implementing a set of controls based on the results of risk assessments.
However, residual risk will inevitably persist after implementation of controls. Detection of security breaches is thus necessary to alert the organization whenever incidents occur. In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it and producing a post incident mitigation plan. During this phase, activity often cycles back to detection and analysis—for example, to see if additional hosts are infected by malware while eradicating a malware incident. After adequately handling the incident, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to mitigate, or prevent, future incidents.
Organizing an effective information security incident response capability involves several major decisions and actions. The organization must decide what services the incident
response team should provide, consider which team structures and models can provide those services, and select and implement one or more incident response teams. This section
provides not only guidelines that should be helpful in establishing incident response capabilities, but also advice on maintaining and enhancing existing capabilities.
DynTek Services, Inc. 10
Request for Information 9/3/2015
It is critical early in this effort to identify and solicit cooperation from other groups within the organization that will be essential in incident handling. Every incident response team relies on the expertise, judgment, and abilities of others, including:
Senior Management Legal Department Public Affairs and Media Relations Human Resources Physical Security and Facilities Management
An incident response team should be available whenever an incident involving the
organization is suspected to have occurred. One or more team members, depending on the magnitude of the incident and availability of personnel, should then be available exclusively to handle the incident.
These incident handlers must analyze the incident data, determine the impact of the incident, and react appropriately to limit the damage and restore services to normal. Accordingly, the incident response team’s success depends on the participation and cooperation of individuals throughout the organization. This section discusses incident response team models and provides advice on selecting an effective model for your organization.
Team Models
Possible structures for an incident response team include:
Central Incident Response Team
A single incident response team handles incidents throughout the organization. This model is effective for small organizations and organizations with minimal geographic diversity in terms of computing resources.
Distributed Incident Response Teams
The organization has multiple incident response teams, each responsible for a particular logical or physical segment of the organization. This model is effective for large organizations (e.g., one team per division) and for organizations with major
computing resources at distant locations (e.g., one team per geographic region, one team per major facility). However, the teams should be part of a single coordinated entity so that the incident response process is consistent across the organization and information is shared among
DynTek Services, Inc. 11
Request for Information 9/3/2015
teams. This is particularly important because multiple teams may see components of the same incident or may handle similar incidents.
Coordinating Team
An incident response team provides advice to other teams without having authority over those teams— for example, a department-wide team may assist individual agencies’ teams. This model can be thought of as a CSIRT for CSIRTs. Because the focus of this document is central and distributed CSIRTs, the coordinating team model is not addressed in detail in this document.
DynTek facilitates and where appropriate provides on-going assistance in the creation and management of client incident response programs. Upon developing the information, policies, procedures and teaming structures as identified below, the incident response program plan serves to facilitate information about the coordinating team model, as well as extensive information on other team models, is available in a CERT®/CC document titled Organizational Models for Computer Security Incident Response Teams (CSIRTs) (http://www.cert.org/archive/pdf/03hb001.pdf).
E) Training
Provide training for State Agency staff from basic user awareness to technical education.
Virtually all Information Security Standards and Regulations require both information security awareness and information security training targeted at all users (including managers, senior executives, and contractors) on an on-going basis.
“Learning is a continuum … it starts with awareness, builds to training, and evolves into education.” (NIST
Special Publication 800-16 Revision 1)
DynTek has developed a Web based Information Security tutoring solution. Our approach delivers two options for our clients:
1) Generic (ISO1799/27001) Information Security Awareness and Training modules
or
2) Customized (branded if desired) Information Security Awareness and Training modules based on specific corporate or regulatory requirements
DynTek Services, Inc. 12
Request for Information 9/3/2015
unique to the client or line of business, such as HIPAA, FISMA, NERC CIP, CJIS, IRS Pub 1075, Red Flags, etc.
In either case, our training is designed to provide a convenient and cost-effective approach to Information Security Awareness and Training.
Most organizations have either adopted or are moving toward a remote or ‘off-site’ business model. Consequently, the opportunity to conduct collective information security awareness or training sessions has become a challenge. Our solution provides a web based series of awareness and training modules that can be accessed via the Internet anywhere, anytime. The ‘student’ simply logs in using a credit card, selects a module and follows on-screen prompts through the module. When the module has been completed with a passing score an email is generated by our system informing your Human Resources organization that successful Information Security Awareness or Training has been accomplished by the ‘student’.
Post-Incident Services
A) Breach Services Toll-free Hotline
Provide a scalable, resilient call center for incident response information to State Agencies.
DynTek does not provide this service.
B) Investigate/Clean-up
Conduct rapid evaluation of incidents, lead investigations and provide remediation services to restore State Agency operations to pre-incident levels.
DynTek can help manage all aspects of incident response including subsequent activities. Our experts are experienced in cybercrime investigations and can be available to provide legal liaison as needed.
In response to risks identified by a breach, we work with clients to: Limit immediate incident impact to customers and partners Recover from the incident and return to operations
Determine how the incident occurred Avoid escalation and further incidents Help assess impact and damage
Determine who initiated the incident and your options going forward Review existing policies and protocols for adequacy
Review adequacy of other systems security Develop long-term mitigation plans
DynTek Services, Inc. 13
Request for Information 9/3/2015
Provide necessary training
C) Incident Response
Provide guidance or technical staff to assist State Agencies in response to an incident.
DynTek is available to help you manage all aspects of a breach including subsequent activities. Our experts are experienced in cybercrime investigations and can be available to provide legal liaison as needed.
In response to risks identified by a breach, we work with you to: Limit immediate incident impact to customers and partners Recover from the incident and return to operations
Determine how the incident occurred Avoid escalation and further incidents Help assess impact and damage
Determine who initiated the incident and your options going forward Review existing policies and protocols for adequacy
Review adequacy of other systems security Develop long-term mitigation plans
Provide necessary training
D) Mitigation Plans
Assist State Agency staff in development of mitigation plans based on investigation and incident response. Assist State Agency staff with incident mitigation activities.
The DynTek Team can provide support in all phases of cyber security mitigation efforts planning, testing, and implementation.
Advise DMS employees regarding information security best practices and security architecture mitigation efforts.
Review and recommend technical solutions to DMS based on an understanding of recognized risk results.
Conduct systems security analysis and implementation, system engineering, electrical design, design assurance, testing, software engineering, program design,
configuration management, integration and testing of products and techniques, as well as providing information risk advice.
The Team’s solutions will be based on a firm understanding of DMS policy, practices, procedures, customer requirements, and emerging technologies, as well as anticipated future trends associated with information management, information systems, and data networks. Especially affecting:
DynTek Services, Inc. 14
Request for Information 9/3/2015
Organization of Security Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management Access Control
Info Systems Acquisition, Development and Maintenance Information Security Incident Management
Business Continuity Management Compliance
E) Identity Monitoring, Protection, and Restoration
Provide identity monitoring, protection, and restoration services to any individuals potentially affected by a cyber-security incident.