Project Request: Penetration tester

Looking a Pen testing Expert with proven record in cybersecurity and can share up to 3 business references to asses in our client current security posture and identify weaknesses, vulnerabilities and exploits in the information systems, networks, applications, procedures, and facilities, per the identified scope.

All tests shall be non-destructive in nature, where all remote system scanning, and attempts to exploit vulnerabilities or escalate privileges are conducted with proper care to avoid any disruption of service.

1) The ability to perform all gray, black and white box testing, including, but not limited to:

a) Internal Pentest - to be performed from within the organization’s perimeter.

  • Network surveying and services identification
  • Up to 300 ips (including PCs, VMs, firewalls, routers, switches, and other devices)
  • Firewall configuration review: Up to 3 firewall configurations, up to 300 rules
  • Password service strength testing

b) External Pentest - to be performed from within the organization’s perimeter

  • Network surveying and services identification
  • Web Applications (up to 5)
  • Denial of service identification
  • Firewall and routers
  • ISP analysis
  • Public information & information leakage
  • Remote Access Applications and Services (VPN, Remote Desktop, FTP, File Sharing Services).
  • VPN endpoint analysis

c) Wireless Pentest – to be performed with either internal or external testing

  • Up to 2 locations

d) Social Engineering

  • Up to 100 users
  • Phishing
  • Spear Phishing
  • Brute force (on designated systems)
  • Password Cracking
  • Whaling

e) Access perspectives:

  • No access
  • External end user (‘customer’) accessLooking for medium/expert level Information Security specialist.For High Level Whitebox testing Penetration Test. Using OSWAp Web App Criteria

2) Offeror must be able to provide complimentary post-remediation reviews. (Discussion-Based)

3) Offeror must complete all clean up processes before finishing the penetration test, including but not limited to: a) Removal of accounts created as part of the assessment b) Removal of tools installed by tester on the customer’s systems

4) Confidential data about the customer obtained from the penetration test must be disposed of in an appropriate manner.

5) Offeror shall have support for any technical issues associated with penetration testing.

6) Offeror shall supply a list of potential employees that will penetrate the customer network in terms of:

a) Offeror’s certification and experience (employees must have at minimum 3+ years of experience) in the cyber security field.

  • Employees must have at a minimum 3+ years of experience
  • Each individual performing the testing will be required to have one of the following industry recommended information security certifications: Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), SANS GIAC Penetration Tester (GPEN), Offensive Security Certified Professional (OSCP), Certified Information Security Auditor (CISA).
  • Demonstrate experience with black box and grey box penetrating testing, social engineering. Offeror must provide examples of previous projects and resumes indicating number of years’ experience for employees that will be assigned to the SBE account.

b) Offeror’s individuals programming experiences.

c) Results of Offeror’s employees background check(s) (each employee shall have a clean background record).

7) A summary of any key differentiators that make Offeror uniquely positioned to provide penetration testing services to the SBE.

8) A description of the Offeror’s work with 3 other clients for a similar scope of work, and provide the SBE with contact information and/or testimonials if available.

IV. Rules Of Engagement During the Planning phase, detailed guidelines will be established describing:

1) The extent of the authority of the awarded Contractor Security penetration testing team to perform the actions prescribed herein. 2) The procedures that are to be followed for the care and handling of any data that is compromised as the result of the actions prescribed herein 3) Identification of any assets, applications, facilities, personnel, or other targets that should be explicitly included or excluded in the penetration test.

V. Deliverables

1) Project Plan: a) A project plan will be adopted and delivered prior the selection. b) Regular project status update meetings.

2) Final Report will include:

  • Executive Summary o Executive-level discussion regarding the assessment, including the objectives and findings o Risk summary to identify both level of risk as well as level of effort required to remediate
  • Scope and Rules of Engagement o Documents client’s requirements/scope and any assumptions
  • Security Posture Analysis o Summarized recommendations o Concise view into positive and negative findings

At Puffin Security, we enjoy contributing knowledge regarding security projects to complex organizations as our team is composed by Certified Security Engineers who follow codes of conduct (The ISACA, (ISC)2 and ISSA codes of conduct – likewise the OSSTMM “Rules of Engagement”). For more information, contact us here or info@puffinsecurity.com