Engagement Acknowledgement

By accepting the terms and conditions upon checkout, you agree to the service(s) process, deliverables and guidelines as described below respective to the service(s) purchased.

External Network Vulnerability Scan

The scan will involve the technical testing of externally accessible networks, firewalls, intrusion detection systems, routers, switches, servers, and services only. The term “externally accessible” relates to that which is accessible from the Internet.

Testing Process

The External Vulnerability Scanning is comprised of these phases:

Vulnerability Identification
Hosts are tested for well-known and some zero-day vulnerabilities. Vulnerabilities in configurations, operating system versions, and application versions are identified.

Vulnerability Verification
The vulnerabilities that were previously identified are subjected to further testing to ensure accuracy and impact.

Analysis
Vulnerabilities are assessed for the likelihood of compromise and impact to the organization. Furthermore, vulnerabilities are ranked according to severity and recommendations for remediation are documented.

Reporting
Reports are created and formatted to include common sections that include; Background, Testing Process, Reconnaissance/Discovery, Enumeration, Host Enumeration Summary, Vulnerability Identification, High Risk Vulnerabilities, Moderate Risk Vulnerabilities, Low Risk Vulnerabilities, and Summary.

  • Vulnerability Detail Report – A report that breaks down vulnerabilities by host. This provides detailed information on each vulnerability found and screen shots of exploit attempts made by the scanning program.
  • External enumeration Report – Identification and qualification of information resources made available by the organization, some intentionally and others unintentionally. The report is sorted by host, and provides an open port summary.
  • Raw scanning data (as necessary or requested)

Internal Network Vulnerability Scan

Testing Process

  • Vulnerability scanning on the internal network
    • Tests conducted against a database of 47,000+ known vulnerabilities
    • Tests against known good configurations
  • Processing of the collected vulnerability data
    • Create reports leveraging the output of the vulnerability scan

Scope and Limitations:
The following are the limitations that apply to this service:

  • FRSecure must be provided a physical or virtual machine capable of hosting and running the scan. FRSecure will set up the scan once the environment has been provided.
  • Scanning will be performed Monday through Friday between the hours of 8am and 5pm.
  • FRSecure must be provided with all necessary network credentials in order to perform the scan.
  • All scans will be performed remotely.

Reporting

  • Vulnerability Scan Reports – the reports give break downs of top vulnerabilities, most vulnerable hosts, scoring, etc.
  • Excel spreadsheets; one each for all vulnerabilities, critical severity vulnerabilities, high severity vulnerabilities, and moderate
    severity vulnerabilities. These spreadsheets help with sorting, prioritization and remediation.
  • Raw scanning data (as necessary or requested)

Web Application Vulnerability Scan

Engagement Summary
Web Application Vulnerability scanning utilizes automated tools to evaluate web applications for security vulnerabilities such as cross-site scripting, SQL injection, command injection, path traversal and insecure server configuration. The primary tools used by FRSecure for this purpose are Burp Suite Pro and Accunetix. After automated scanning is complete, FRSecure’s team manually verifies all critical and high severity findings.

FRSecure will perform web application vulnerability scanning according to the scope defined by this document. Due to the nature of the testing performed, FRSecure cautions performing this type of testing against a production environment. Ideally, a development or staging environment that uses the same code as production should be utilized.

Application Vulnerability Scanning
Publicly known vulnerabilities as well as the OWASP top ten critical risk categories will be the primary focus of testing.

The 2017 OWASP top ten critical risk categories:

A1:2017-Injection
A2:2017-Broken Authentication
A3:2017-Sensitive Data Exposure
A4:2017-XML External Entities (XXE)
A5:2017-Broken Access Control
A6:2017-Security Misconfiguration
A7:2017-Cross-Site Scripting (XSS)
A8:2017-Insecure Deserialization
A9:2017-Using Components with Known Vulnerabilities
A10:2017-Insufficient Logging&Monitoring

Deliverables
FRSecure will provide a web application vulnerability scan report that details any vulnerabilities identified. The report will include risk ratings, vulnerability information and FRSecure’s expert recommendation on the remediation of any issues identified.

External Penetration Test

Engagement Summary
FRSecure penetration tests are typically performed as white-box assessments. These types of assessments yield more accurate results and provide a more comprehensive test of the security posture of the environment than a black-box or greybox assessment.

Methodology
FRSecure’s penetration testing methodology is based on the Penetration Testing Execution Standard (PTES). PTES is currently the most widely accepted standard for penetration testing, and is based on the practical knowledge and experience of the security industry’s leading experts.
External penetration testing consists of enumerating and verifying vulnerabilities that could be exploited by external attackers to gain unauthorized access to the client’s systems. The assessment helps validate the organization’s investment in their security and information technology infrastructure. FRSecure’s team plays the role of an external attacker, attempting to exploit vulnerable systems to obtain confidential information or compromise network perimeter defenses.

Deliverables

  • External Penetration Test Report
  • Executive Summary
  • Reconnaissance
  • Enumeration
  • Exploitation
  • Recommendations

Social Engineering – Phishing

FRSecure provides the following email Social Engineering services:

  • Generic Phishing
    A general phishing attack – aimed at general users, attempting to collect as much information as possible from a wider group of people (UPS package, prize giveaway, news website, etc.). A Generic Phishing attack engagement uses one of FRSecure’s predefined templates.
  • Spear Phishing
    A simulated customized email social engineering attack employing known information about employees and/or the company to appear legitimate, increase success rates and in some cases obtain more specific information (OWA login, Google Apps, eMail from HR, etc.). Spear Phishing campaigns will be customized by FRSecure in collaboration with client staff.

Assumptions

FRSecure will provide all of the materials required for the completion of this engagement. FRSecure will rely upon experience, testing, observation, and interviews with client employees to assess the completeness and effectiveness of client’s information security program. FRSecure will follow all guidance provided by the previously referenced standards for the completion of the work.

The FRSecure information security analyst will review a variety of information including, but not necessarily limited to prior working papers, reviews and current client diagrams, policies, processes, and procedures.

Assessments that have been conducted follow the standards as noted in the National Institute of Standards in Technology Cybersecurity Framework (NIST CSF), ISO/IEC 27002:2013 international standard, Center for Internet Security (CIS) Controls, & NIST Special Publication 800-53 (NIST SP 800-53).

Change Management Process

Changes can be made to the scope of this engagement and Statement of Work. Any changes requested by either party should be in writing and signed by both parties indicating acceptance.

Engagement Related Expenses

All engagement related expenses will be billed to the client following FRSecure Client Project Travel And Expense Policy.

Contact Information

FRSecure LLC
Attn Kevin Orth
5909 Baker Road Suite 500
Minnetonka, MN 55345
Phone 952-467-6381; Fax 952-392-7052
Email [email protected]