Department of Management Services. Request for Information

(1)

September 3, 2015

Submitted By: Carlos Henley DynTek Services, Inc.

2260 Wednesday St. , Suite 600 Tallahassee, FL 32308 Phone: (850) 219-7911 Fax: (850) 219-7919 www.dyntek.com

Department of

Management Services

Request for Information

Cyber-Security

Assessment, Remediation,

and Identity Protection,

Monitoring, and

Restoration Services

(2)

DynTek Services, Inc. 2

Request for Information 9/3/2015

I

NTRODUCTION

With over 20 years of experience, DynTek Services, Inc. (DynTek) is a premier provider of technology and management solutions to commercial firms, state government and local

government sectors. Our comprehensive security solutions incorporate our full range of services. DynTek plans and implements strategic projects and creates and maintains systems for a wide range of platforms and architectures. DynTek has a history of providing the vertical markets of Financial, Healthcare, Manufacturing and government agencies with technology-based tools and solutions to secure their systems from internal and external security threats.

B

ACKGROUND

DynTek’s assessment process is based upon industry standard methodologies and best practices, as well as years of actual application assessment experience. The result is a highly structured methodology and assessment process that can be uniformly deployed across all organizations. An effective information security program is based on people, processes, and technology. It is our belief that simply throwing money at technology does not guarantee a sound security program. For that reason, successful information security programs require the thoughtful integration of people and processes into a sound technical architecture. The trilogy of people, process, and technology is ingrained in our people and in the solutions or work-products that we deliver.

DynTek has been a vendor for State and Local customers in Florida and maintained a local office since 1996. Our office is located at:

DynTek Services, Inc.

2260 Wednesday Street, Suite 600 Tallahassee, FL 32308

Phone: 850-219-7917 Fax: 850-219-7919 Tax ID: 13-4067484

DynTek maintains Federal GSA Schedule #GS-35F-0025N. DynTek also maintains state contracts in Florida, California, Nevada, New Jersey, and New York. Please visit our website at www.dyntek.com to view all government contracts.

(4)

C

ONTACT

I

NFORMATION

Carlos Henley

DynTek Services, Inc. Senior Account Manager Phone: (850) 219-7911

Email: carlos.henley@dyntek.com

R

ESPONSE TO

S

ECTION

IV

DynTek is able to provide: EXPERTISE

 Understanding Cyberspace and Cybersecurity

 Identifying and investigating contemporary threats involving cyberspace  Anticipating the convergence of cybersecurity and the physical world  Articulating risk issues related to cyberspace and cybersecurity

 Crafting custom solutions to the challenges of cyberspace and cybersecurity

DynTek delivers:

Preventative Solutions

Standards Based Information Risk Assessments Cyber Security Testing

Information Security Training

Detective Solutions

Cybersecurity Analytics & Alerting Technical Surveillance Countermeasures Business Forensics

Corrective Solutions

Consulting on Information Assurance Issues Cyber Incident Response

IT Audit Advocacy

Cybersecurity Consulting Services

 Consulting On Cyber & Physical Risk Management Issues  Assessing People and Business Security Risk

 Communications Security, Systems Security Testing  Operations Security, Wireless Network Assessments  Risk Assessments, Third Party, Vendor

(5)

 Physical and Environmental Security  Supply Chain Security Consulting

 Strategic Security Planning & Facilitation

Pre-Incident Services

A) Incident Response Agreements

Terms and conditions in place ahead of time to allow for quicker response in the event of a cyber-security incident.

DynTek can provide for a number of terms and conditions to be in place prior to any cyber-security event including an initial retainer Incident Response Activities On-Demand and for organizing activities necessary to prepare in advance for management and handling of incident response requires the consideration of a lifecycle approach composed of serial phases

(Preparation, Identification, Containment, Eradication, Recovery, and Follow-Up) and of ongoing parallel activities (Analysis, Communication, and Documentation).

Establishing a bank of hours or a retainer relative to pre-planning services in the event of a significant incident that required information/cyber security resources and expertise to augment

the State of Florida from an incident response plan should incorporate an initial determination of the target organizations Information Security Incident Response Capability, Dependencies within the Organization and an Incident Response Team Structure to include the designation of an Incident Response Point of Contact and Emergency Communications Protocol.

B) Assessments

Evaluate a State Agency’s current state of information security and cyber-security incident response capability.

Evaluation of the agencies current state and capability to respond to cyber-security incident is one of the core tenants of DynTek’s offerings and capabilities. Below are some samples of what we examine and the depth of what can be examined. This evaluation is one of the more important elements of the development of a security program. The Information Risk Assessment is directly related to the client’s needs and information security program.

Information Risk Assessments set the stage for establishing the Information Technology ‘Big Picture’. Our Information Risk Assessment process is built around an ISO 17799/27001 based framework, and controls are customized according to business needs (Health Insurance Portability and Accountability Act of 1996 (HIPAA), Federal Information Security Management Act of 2002

(FISMA), Financial Services - FEDERAL FINANCIAL INSTITUTIONS EXAMINATION

COUNCIL (FFIEC) & Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability

(6)

Card Industry Data Security Standard (PCI DSS). Our inquiry will include every aspect of your organization: People, Process, and Technology. .

TYPES OF ASSESSMENTS

PURPOSE/TYPE PROCESS DESCRIPTION

INFORMATION RISK ASSESSMENT for

PROGRAM DEVELOPMENT

Information Risk Assessment consisting of 11 Information

Security Management Controls and 132

sub-components

INFORMATION RISK

DOCUMENT REVIEW

Analysis of client completed

DynTek Information Risk Questionnaire and requested

supplemental documents provided by client

INFORMATION RISK

GAP ANALYSIS

(Existing Cybersecurity Program)

Information Risk Gap Analysis consisting of 11

Information Security Management Controls and 42 sub-components

(7)

Cyber Security Testing

DynTek Cyber Security Testing is a ‘hands on’ effort in which Test Operators attempt

to circumvent security features of a system or network based on their understanding of the technical design and implementation. The purpose of a penetration test is to identify methods for gaining access to a system or network by using common attacker tools and techniques. Accordingly, in order to conduct a penetration test, the operator must first conduct a vulnerability assessment in order to determine exploitable targets.

*Pricing will vary dependent on size of target environment and the persistence requested for penetration testing (time to break). Consequently, we often scope and price testing engagements on a flat rate per day once we are able to gauge the size of the target environment.

EXTERNALNETWORK ASSESSMENT

Targets: Internet facing systems and devices

Attack Parameters: May include both automated and manual attacks; Will usually NOT include exploitation of any identified vulnerabilities;

Password cracking usually in the scope

Restrictions: Attack(s) usually limited to non-business hours

Time to Complete: Dependent on target size according to Internet Protocol (IP) addresses

INTERNAL NETWORK ASSESSMENT

Targets: Internal network devices, not limited to domain controllers,

infrastructure services (WINS/DHCP/DNS), servers, workstations, printers and network devices

Optional: Configuration review of the firewall and internal

Attack Parameters: Unobtrusive system vulnerability scans may occur during business hours; Caution: potential for interruption of critical business systems Restrictions: Internal network assessment will be conducted on-site

Will not include mainframe systems

May include both automated and manual attacks; but will not usually include exploitation of any identified vulnerabilities; password cracking is usually in the scope

Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses

WIRELESS ASSESSMENT

Targets: Organization -Campus -Specific Building -or Facility

(8)

Rogue wireless device detection; penetration testing, password cracking usually in the scope

Restrictions: Wireless security risk assessment usually limited to 802.11 technologies

Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses

SOCIAL ENGINEERING

Attempt to bypass security controls in order to gain access to sensitive areas or information

Targets: Individual - Organization – Campus - Specific Building - or Facility Attack Parameters: May include physical access, telephone, and

email/phishing

Restrictions: Attack may be performed any time

Time to Complete: Dependent on target size and client needs APPLICATION PEN TEST

Targets: Web-based production application, Internet facing IP address Attack Parameters: May include both automated and manual attacks May include attempts to gain access through social engineering

Restrictions: Will usually not include exploitation of any identified vulnerabilities Password cracking is usually in the scope

Will not include a code review

SOURCE CODE SECURITY REVIEW

The goal of an application source code security review is to recognize software vulnerabilities that might be exploited if access were gained.

C) Preparation

Provide guidance on requirements and best practices.

In addition to the content described in the response above, DynTek can provide Consulting on Information Assurance Issues that would include requirements and best practices for the following

 Security Policy

 Organization of Security  Asset Management

(9)

 Human Resources Security

 Physical and Environmental Security

 Communications and Operations Management  Access Control

 Info Systems Acquisition, Development and Maintenance  Information Security Incident Management

 Business Continuity Management  Compliance

D) Developing Cyber-Security Incident Response Plans

Develop or assist in development of written State Agency plans for incident response in the event of a cyber-security incident.

The incident response process has several phases. The initial phase involves establishing and training an incident response team and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur in selecting and implementing a set of controls based on the results of risk assessments.

However, residual risk will inevitably persist after implementation of controls. Detection of security breaches is thus necessary to alert the organization whenever incidents occur. In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it and producing a post incident mitigation plan. During this phase, activity often cycles back to detection and analysis—for example, to see if additional hosts are infected by malware while eradicating a malware incident. After adequately handling the incident, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to mitigate, or prevent, future incidents.

Organizing an effective information security incident response capability involves several major decisions and actions. The organization must decide what services the incident

response team should provide, consider which team structures and models can provide those services, and select and implement one or more incident response teams. This section

provides not only guidelines that should be helpful in establishing incident response capabilities, but also advice on maintaining and enhancing existing capabilities.

(10)

It is critical early in this effort to identify and solicit cooperation from other groups within the organization that will be essential in incident handling. Every incident response team relies on the expertise, judgment, and abilities of others, including:

Senior Management Legal Department Public Affairs and Media Relations Human Resources Physical Security and Facilities Management

An incident response team should be available whenever an incident involving the

organization is suspected to have occurred. One or more team members, depending on the magnitude of the incident and availability of personnel, should then be available exclusively to handle the incident.

These incident handlers must analyze the incident data, determine the impact of the incident, and react appropriately to limit the damage and restore services to normal. Accordingly, the incident response team’s success depends on the participation and cooperation of individuals throughout the organization. This section discusses incident response team models and provides advice on selecting an effective model for your organization.

Team Models

Possible structures for an incident response team include:

Central Incident Response Team

A single incident response team handles incidents throughout the organization. This model is effective for small organizations and organizations with minimal geographic diversity in terms of computing resources.

Distributed Incident Response Teams

The organization has multiple incident response teams, each responsible for a particular logical or physical segment of the organization. This model is effective for large organizations (e.g., one team per division) and for organizations with major

computing resources at distant locations (e.g., one team per geographic region, one team per major facility). However, the teams should be part of a single coordinated entity so that the incident response process is consistent across the organization and information is shared among

(11)

teams. This is particularly important because multiple teams may see components of the same incident or may handle similar incidents.

Coordinating Team

An incident response team provides advice to other teams without having authority over those teams— for example, a department-wide team may assist individual agencies’ teams. This model can be thought of as a CSIRT for CSIRTs. Because the focus of this document is central and distributed CSIRTs, the coordinating team model is not addressed in detail in this document.

DynTek facilitates and where appropriate provides on-going assistance in the creation and management of client incident response programs. Upon developing the information, policies, procedures and teaming structures as identified below, the incident response program plan serves to facilitate information about the coordinating team model, as well as extensive information on other team models, is available in a CERT®/CC document titled Organizational Models for Computer Security Incident Response Teams (CSIRTs) (http://www.cert.org/archive/pdf/03hb001.pdf).

E) Training

Provide training for State Agency staff from basic user awareness to technical education.

Virtually all Information Security Standards and Regulations require both information security awareness and information security training targeted at all users (including managers, senior executives, and contractors) on an on-going basis.

“Learning is a continuum … it starts with awareness, builds to training, and evolves into education.” (NIST

Special Publication 800-16 Revision 1)

DynTek has developed a Web based Information Security tutoring solution. Our approach delivers two options for our clients:

1) Generic (ISO1799/27001) Information Security Awareness and Training modules

or

2) Customized (branded if desired) Information Security Awareness and Training modules based on specific corporate or regulatory requirements

(12)

unique to the client or line of business, such as HIPAA, FISMA, NERC CIP, CJIS, IRS Pub 1075, Red Flags, etc.

In either case, our training is designed to provide a convenient and cost-effective approach to Information Security Awareness and Training.

Most organizations have either adopted or are moving toward a remote or ‘off-site’ business model. Consequently, the opportunity to conduct collective information security awareness or training sessions has become a challenge. Our solution provides a web based series of awareness and training modules that can be accessed via the Internet anywhere, anytime. The ‘student’ simply logs in using a credit card, selects a module and follows on-screen prompts through the module. When the module has been completed with a passing score an email is generated by our system informing your Human Resources organization that successful Information Security Awareness or Training has been accomplished by the ‘student’.

Post-Incident Services

A) Breach Services Toll-free Hotline

Provide a scalable, resilient call center for incident response information to State Agencies.

DynTek does not provide this service.

B) Investigate/Clean-up

Conduct rapid evaluation of incidents, lead investigations and provide remediation services to restore State Agency operations to pre-incident levels.

DynTek can help manage all aspects of incident response including subsequent activities. Our experts are experienced in cybercrime investigations and can be available to provide legal liaison as needed.

In response to risks identified by a breach, we work with clients to:  Limit immediate incident impact to customers and partners  Recover from the incident and return to operations

 Determine how the incident occurred  Avoid escalation and further incidents  Help assess impact and damage

 Determine who initiated the incident and your options going forward  Review existing policies and protocols for adequacy

 Review adequacy of other systems security  Develop long-term mitigation plans

(13)

 Provide necessary training

C) Incident Response

Provide guidance or technical staff to assist State Agencies in response to an incident.

DynTek is available to help you manage all aspects of a breach including subsequent activities. Our experts are experienced in cybercrime investigations and can be available to provide legal liaison as needed.

In response to risks identified by a breach, we work with you to:  Limit immediate incident impact to customers and partners  Recover from the incident and return to operations

 Determine how the incident occurred  Avoid escalation and further incidents  Help assess impact and damage

 Determine who initiated the incident and your options going forward  Review existing policies and protocols for adequacy

 Review adequacy of other systems security  Develop long-term mitigation plans

 Provide necessary training

D) Mitigation Plans

Assist State Agency staff in development of mitigation plans based on investigation and incident response. Assist State Agency staff with incident mitigation activities.

The DynTek Team can provide support in all phases of cyber security mitigation efforts planning, testing, and implementation.

 Advise DMS employees regarding information security best practices and security architecture mitigation efforts.

 Review and recommend technical solutions to DMS based on an understanding of recognized risk results.

 Conduct systems security analysis and implementation, system engineering, electrical design, design assurance, testing, software engineering, program design,

configuration management, integration and testing of products and techniques, as well as providing information risk advice.

The Team’s solutions will be based on a firm understanding of DMS policy, practices, procedures, customer requirements, and emerging technologies, as well as anticipated future trends associated with information management, information systems, and data networks. Especially affecting:

(14)