Terms of Reference: Pentest and Vulnerability Assessment - 2023 at Fairtrade International

The Supplier shall provide vulnerability assessment Services including but not limited to the following:

• Catalogue FTA Information Technology (“IT”) assets and resources (e.g., applications, endpoint devices, network and servers), etc.;
• Assess current network security measures to identify any vulnerability exists in our network architecture;
• Conduct external and/or internal vulnerability scans to identify any security vulnerability exists in FTA asset and resources;
• Conduct web application security assessment;
• Conduct wireless security assessment;
• Conduct personal security awareness assessment; and
• Report security issues that pose an imminent threat are to be reported to FTA as they are being identified.
• Vulnerability Assessment Services Reporting and Presentation

Upon completion of each Service, the Suppliershall provide the FTA with a vulnerability assessment report which includes the following information at a minimum:

• Executive summary;
• Scope of Service;
• Detailed results of identified vulnerabilities;
• Detailed explanation of the implications of the identified vulnerabilities, business impact and potential risks;
• Detailed steps of immediate mitigation;
• Recommended high risk areas for FTA immediate attention, as applicable; and
• Deliver presentation to FTA, as requested.
• Category B – Penetration Testing Services
• Key Penetration Testing Services
• The Supplier shall provide the following quality penetration testing Services as further described below:
• Application penetration testing Services;
• Network penetration testing Services;
• Social engineering testing Services; and
• Web application testing Services.
• Application Penetration Testing Services

The Supplier shall provide application penetration testing Services including but not limited to the following:

• Manual probing of application interfaces;
• Authentication process testing;
• Automated fuzzing;
• Development of test datasets and harnesses;
• Encryption usage testing (e.g., applications’ use of encryption)
• Forming manual or automatic code review forsensitive information of vulnerabilities in the code;
• Testing of the application functionality including but not limited to:
• Input validation (e.g., bad or over-long characters, URLs);
• Transaction testing (e.g., ensuring desired application performance);

Testing systems for user session management to see if unauthorized access can be permitted including but not limited to:

• Input validation of login fields;
• Cookie security;
• Lockout testing; and
• User session integrity testing.
• Network Penetration Testing Services

The Supplier shall provide network penetration testing Services including but not limited to the following:

• Provide penetration testing from both inside and outside of FTA network;
• Identify targets and map attack vectors (i.e., threat modelling);
• Internet Protocol (“IP”) address mapping of network devices;
• Logical location mapping of network devices;
• Transmission Control Protocol (“TCP”) scanning, connect scan, SYN scan, RST scan, User Datagram
• Protocol (“UDP”) scan, Internet Control Message Protocol (“ICMP”) scan, and Remote Procedure Call (“RPC”) port scan;
• Operating System (“OS”) fingerprinting (OS fingerprinting is the combination of passive research and active scanning tools to generate an accurate network map);
• Banner grabbing;
• Brute force attacks;
• Denial of Service (“DDoS”) testing;
• Network sniffing;
• Spoofing;
• Trojan attacks; and
• War dialing.
• Social Engineering Testing Services

The Supplier shall provide human centric social engineering testing Services including but not limited to the following:

• Pretexting;
• Phishing campaigns (e.g., email, phone); and Physical tests (e.g., tailgating, entry into controlled facility areas).
• Web Application Penetration Testing Services

The Supplier shall provide web application penetration testing Services that cover the vulnerabilities listed below at a minimum:

• Injection;
• Broken Authentication and Session Management;
• Cross Site Scripting (“XSS”);
• Insecure direct object references;
• Security misconfiguration;
• Sensitive data exposure;
• Missing function level access control;
• Cross Site Request Forgery (“CSRF”);
• Using components with known vulnerabilities; and
• Unvalidated redirects and forwards.
• Additional Penetration Testing Services
• The Supplier should provide the following quality penetration testing Services asfurther described below:
• Payment Card Industry (“PCI”) penetration test; and
• Wireless penetration test.
• Wireless Penetration Testing Services

The Supplier should provide wireless penetration testing Services including but not limited to the following:

• Wireless network testing / war driving;
• Wireless, Wired Equivalent Privacy (“WEP”) / Wi-Fi Protected Access (“WPA”) cracking; and
• Telephony or Voice Over Internet Protocol (“VoIP”) testing.
• Penetration Testing Methodologies and Standards
• The Supplier shall provide automated, manual or hybrid penetration testing Services. We may request the Supplier to perform various types of penetration testing Services such as White Box, Black Box or Grey Box testing.

The Supplier shall provide penetration test Services following appropriate industry wide, highly recognized methodologies and standards such as:

• Open Source Security Testing Methodology Manual (“OSSTMM”);
• National Institute of Standards and Technology (“NIST”) SP 800-42;
• Open Web Application Security Project (“OWASP”);
• Penetration Testing Execution Standard (“PTES”);
• Payment Card Industry (“PCI”) Data Security Standard (“DSS”) Guidance: PCI Information

Supplement:

• Penetration Testing Services Clean Up

The Supplier shall clean up properly after penetration testing Services completion ensuring FTA environments are not impacted because of the penetration testing Services, the cleanup activities include but are not limited to the following:

• Update and/or removal of test accounts added or modified during testing;
• Update and/or removal of database entries added or modified during testing;
• Uninstall test tools or other artefacts as applicable;
• Restoring security controls that have been altered for testing;
• Provide FTAs with necessary information and/or guidance on how to verify FTA environments have been restored; and
• Provide FTA with confirmation that the environments have been cleaned and restored.
• In situations where we find issues after Services have been completed, the Supplier shall return and fix the issue to our satisfaction.

Logs

• The Supplier shall log and trace each activity and information sent and received between the Supplier’s and FTA environments as it pertains to the Service activities. This log shall be provided to FTA upon request in a format that is approved by FTA.
• Penetration Testing Services Reporting and Presentation

The Supplier shall provide FTA with a report for each Service completed, the report shall include the following information at a minimum:

• Executive Summary;
• Scope of Service;
• Identification of critical components and explanation of why these components were tested;
• Methodologies and tools used to conduct the testing;
• Any constraints that impacted the testing (e.g., specific testing hours, bandwidth, special requirements);
• Description of the progression of the test and issues encountered during the testing with timelines;
• Findings from the tests (e.g., exploitation, severity) with details;
• Affected targets in FTA environments; and Recommendation on remediation.

The reports must have the following items:-

• Executive Summary :- Brief high-level summary of the penetration test scope and major findings with overall severity graph
• Statement of Scope : A detailed definition of the scope of the network and systems tested as part of the engagement, Clarification of Environment vs. non- Environment systems or segments that are considered during the test, Identification of critical systems in or out of the Environment and explanation of why they are included in the test as targets
• Statement of Methodology : Details on the methodologies used to complete the testing (port scanning, nmap etc.)
• Limitations: Document any restrictions imposed on testing such as designated testing hours, bandwidth restrictions, special testing requirements for legacy systems, etc.
• Segmentations: Provide details asto the testing methodology and how testing progressed. For example, if the environment did not have any active services, explain what testing was performed to verify restricted access. Document any issues encountered during testing (e.g., interference was encountered as a result of active protection systems blocking traffic).
• Summary of test results : Detailed results for vulnerabilities discovered, exploited vulnerabilities and proof of concepts/screenshots, detailed explanations of the implications of findings, business impacts, and risks for each of the identified exposures.
• Recommendations :- Remediation recommendations to close the deficiencies identified.Detailed steps (wherever/whenever applicable) to be followed while mitigating the reported deficiencies. Security issues that pose an imminent threat to the system are to be reported immediately.
• Tools Used : Details of all the tools used and for the purpose & target system and its impact.
• Clean up : After testing there may be tasks the tester or customer needs to perform to restore the target environment (i.e., update/removal of test accounts or database entries added or modified during testing, uninstall of test tools or other artifacts, restoring active protection-system settings, and/or other activities the tester may not have permissions to perform, etc.). Provide directions on how clean up should be performed and how to verify that security controls have been restored.

DURATION OF THE ASSIGNMENT

• The supplier/consultant is expected to complete the assignment in 30 days from the date of issuance of a Local Purchase Order (LPO) and 40% down payment.

QUALIFICATION OF THE CONSULTANT

• FTA is looking for a firm with demonstrated experience in penetration testing and vulnerability management.

Your proposal should indicate: -

• Company profile with information on proficiency in information security with an excellent knowledge and practice of IT Vulnerability Management and Penetration testing.
• A detailed work plan, including timeframes on how to conduct scheduled vulnerability and penetration testing on the existing infrastructure including externally facing IP’s.
• A financial quotation based on the terms of reference above.
• Composition and experience of proposed team
• Registration certificate, PIN and Tax compliance certificate
• References and relevant experience, the bidder to provide:
• A minimum of three (3) companies with evidence where similar work has been implemented within the last five (5) years.
• The bidders are requested to provide FTA with details of clients to complete the reference checks.