Hi,
Hope you are doing well! Please find the position below and let me know your availability with the updated copy of resume. *Penetration Tester* *Richmond, VA* *1 Year Contract* *Purpose* The Virginia Retirement System (VRS) is seeking sealed proposals from qualified firms to provide Penetration Testing Services. It is the intent of VRS to make multiple awards. The initial contract period shall be one year with five (5) one year renewal options. *Statement of Need* VRS defines a penetration test as a concerted attempt by knowledgeable certified professionals, using real-world attacks, to bypass or circumvent security controls, or to exploit weaknesses in the various systems to gain unauthorized or administrative access to VRS systems or networks. Vulnerability scanning (using automated tools to identify and classify vulnerabilities using a repository of scripts and/or vulnerabilities) may be considered a part of a penetration test, but such automated processes alone are not considered to be a true penetration test. Any vulnerability identified through any means should be fully tested to determine the actual risk and ramifications of those vulnerabilities. *Requirements:* *1. The following categories of penetration testing services are desired:* a. External Web Application Penetration testing b. External Network Penetration Testing c. Internal Web Application Penetration Testing d. Internal Network Penetration Testing e. Wireless Network Penetration Testing f. Social Engineering g. Source Code Review h. Security Assessments for the following: i. Firewall and Routers ii. Database Architecture iii. Active Directory iv. Telecommunication’s *2. The following requirements apply to each test:* a. The selected Contractor shall attempt to: i. escalate privileges beyond those of a normal external user ii. gain access to restricted information iii. gain administrative control of systems iv. bypass security controls on the various systems and applications b. Any tools, scripts, or methods which show a reasonable likelihood of causing disruption of VRS networks or systems are to be fully discussed with VRS Point of Contact along with appropriate remediation/recovery strategies prior to execution against VRS networks or systems. VRS may require that such processes be run within a specific time-window outside normal business hours. c. The Contractor will take all reasonable precautions to ensure that any information gathered or generated during the test will be accessible only to those individuals involved in performing the test and/or generating the report. The Contractor is expected to run hard disk encryption on any portable laptop used to gather data. d. Secure communications should be used for all status updates, reports or information gathering. e. During each test the Contractor will appoint a technical point of contact (POC), directly involved in the test, who will be available by phone 24/7 during the test. f. Up to two retests of any High or Critical findings should be provided at no extra cost (this work would be remote) g. It is expected that manual penetration assessment techniques be used in tests in conjunction with any desired automated tools/techniques. h. Contractor is to make every effort to identify and remove false positives from the test report and remove anything that is not a true material threat or vulnerability. The Contractor should not list vulnerabilities that cannot be substantiated or that are just theoretical. Theoretical vulnerabilities are expected to be tested and removed if not susceptible to attack. It should be clearly noted and explained why if these vulnerabilities remain on the report; mitigating factors should be noted with an accurate level of risk. Reviewing VRS hardening documentation, exception requests or interviewing technical staff may be necessary to apply an appropriate risk factor on theoretical vulnerabilities. *3. VRS requires the following deliverables for each project:* a. The deliverable for each project will be a comprehensive test report. This test report is expected to be customized for each specific test, and to include understandable, well-reasoned and insightful descriptions of the various findings, mitigations, and recommendations. It’s expected the report will be written by the team conducting the test (and reviewed by tech writers as necessary). Canned reports generated by automated tools (e.g. detailed scanner results) are expected to be included as a separate technical report. All highly sensitive information such as passwords, encryption keys, financial or personally identifiable information is to be obscured or removed from report. The following define the requirements for each test report. The report(s) should, at a minimum, contain the following sections: 1) Executive Summary containing an overview of the test and test results, and highlighting significant findings, including things VRS is performing well and things we need to improve, appropriate for upper management. This section of the report must be useful and understandable to non-technical personnel. 2) Technical Report appropriate for technical personnel, containing: a). Inventory of systems assessed • Hostname / IP address • System function (web server, email server, etc.) • Risk level for the particular system as determined and confirmed by the penetration test results. b) Detailed vulnerability description • Description of the vulnerability • Description of mitigating factors in place • Level of risk as it applies to the specific case • System(s) affected • Ramification of exploitation • Remediation recommendations c) Detailed timeline of the test identifying each step of the test. Included for each step: • Date/time stamp • Vulnerability / issue explored • System(s) affected • Method(s) employed • Tool(s) employed • Expected results • Actual results • Screen shots where appropriate d) Evidence of system access • Screen shots of non-public information, or showing administrative access (redact any sensitive or confidential information) • Plain-text flag files using readily identifiable names and contents. • Other non-destructive, non-disruptive method. The Contractor is to make every effort to identify and remove false positives from the report and remove anything that is not a true material threat or vulnerability. The Contractor should not list vulnerabilities that cannot be substantiated or that are just theoretical. Theoretical vulnerabilities are expected to be tested and removed if not susceptible to attack. It should be clearly noted and explained why if these vulnerabilities remain on the report; mitigating factors should be noted with an accurate level of risk. Reviewing VRS hardening documentation, exception requests or interviewing technical staff *Staff Required Under this Contract:* 1) VRS requires that the staff assigned to a project be a Certified Professional that is holding a current certification in one or more of the following or equivalent. • CISSP (Certified Information Systems Security Professional) • OSCP (Offensive Security Certified Professional) • CHFI (Certified Hacking Forensic Investigator) • CEH (Certified Ethical Hacker • GIAC-GPEN (Penetration Testers) • GIAC-GWAPT (Application Penetration Tester). *Thanks* *Amanpreet Singh * *Direct:* 408 216 8035 *Fax: *703-722-6628 *Email:* [email protected] *Elegant Enterprise-Wide Solutions, Inc * We Participate in E-Verify An SBA 8(a), ISO 9001:2008 Company *Prime on GSA Schedule 70, 8(a) STARS II, eFAST, Seaport-e & many State/Local Contracts *http://www.elegantsolutions.us -- You received this message because you are subscribed to the Google Groups "US_IT.Groups" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/us_itgroups. For more options, visit https://groups.google.com/d/optout.
