STATEMENT OF WORK AT&T Consulting Essentials Security Assessment Perimeter

smileybloatΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

49 εμφανίσεις




Page
1






STATEMENT

OF WORK

AT&T Consulting



Essentials

Security Assessment


Perimeter

1

Introduction


This Statement of Work (“SOW”) is incorporated into
the applicable Pricing Schedule/Addendum

between AT&T
Corp. (“AT&T”) and
San Joaquin Valley Libra
ry

(“Customer”) and shall be effective on the latter of (i) the Effective
Date of the
Pricing Schedule/Addendum

or (ii) the later of the dates upon which the parties have both executed this
SOW. This SOW outlines the specific AT&T
Consulting Services
(“Se
rvices”) to be provided by AT&T to Customer for
the Charges set forth in
this SOW
.


AT&T reserves the right to modify the prices and any other terms and conditions, including, but not limited to any
section of this SOW, if this SOW is not signed by Custome
r and AT&T by
05 May 2010
.

2

Service Description

AT&T will conduct a Security Assessment


Perimeter (SAP) of your network security posture utilizing
AT&T network consulting methodologies to analyze, understand, design, implement, optimize, and
/or
secure LAN and WAN networks. The scale of the SAP service for Customer is defined by the following
parameters:

AT&T shall perform the SAP in two phases. First, AT&T will use tools to perform port and vulnerability
mapping using the information provi
ded by Customer. Second, AT&T will analyze the data, prepare the
assessment report, and review the report with Customer via telephone.


Overview:

There are three main approaches for conducting a Penetration Test or Security Assessment
-

Perimeter:




Zer
o
-
Knowledge
-

with this approach, AT&T acts as a complete outsider to gather information
form public sources to start the test and will then gather information as the test progresses.
There is an extension to this approach known as the Double
-
Blind approa
ch where the internal
personnel are not even notified. This will test their reaction as well. This is the most expensive
approach.



Partial
-
Knowledge
-

with this approach, AT&T and the customer agree on the data to be
transferred before conducting the tes
t. This is a more economical approach.



Full
-
Knowledge
-

with this approach, the customer provides all information requested by AT&T
prior to the assessment. This is the most economical approach.


AT&T will perform the following services for the SAP:




Enu
meration and Mapping of Hosts



Utilizing the range of IP Addresses supplied by the
customer AT&T will run tools to identify hosts visible from the Internet within the range.
AT&T
may also retrieve public records during this phase to assist in the detecti
on of hosts. Techniques
are used to detect hosts that are hidden from normal scanning techniques such as blocking ICMP
Echo Requests. Output from this phase will provide an inventory of servers visible from the
outside and will additionally serve as con
firmation to the customer of servers evaluated.




Enumeration and Mapping of Services



For the identified hosts, AT&T will perform a full port
scan to determine which ports are open on each host. Once an open port is identified, AT&T will
seek to determin
e the service being offered on that port. Output from this phase will provide the



Page
2






customer an inventory of services offered to the outside and can be used to turn down un
-
necessary services thereby reducing risk.




Enumeration

and
Mapping

of

Vulnerabilitie
s


AT&T will utilize a Broad Spectrum vulnerability
scanner to identify and prioritize potential vulnerabilities in the software and operating systems of
the hosts visible from the Internet. The scanner utilizes plug
-
in components that cover
thousands
of

known vulnerabilities across many operating systems and applications.

AT&T
will conduct the
scan from the outside of the network, namely from the Internet.

This assessment will characterize
your organization as it is seen from the outside world. Output fr
om this phase will provide a list of
potential vulnerabilities.




Report Potential Vulnerabilities


Vulnerability scanning is an inclusive, rather than an
exclusive process. Scan results describe the pool of potential vulnerabilities. Work must be done
to

either exclude a vulnerability or confirm that it is a probable vulnerability. AT&T will provide
expert advice of probable false positive results and mark results accordingly. Output from this
phase will provide Customer a comprehensive view of potentia
l server vulnerabilities rated by
severity.




Exploitation of Vulnerabilities



If this option is chosen,
AT&T

will then attempt to exploit
vulnerabilities in order to compromise the target host. Our goal is not to destroy or compromise
any information, b
ut rather to progress to the point where we have demonstrated that it is
possible.




Rogue Modem Detection


With a technique known as WAR dialing, we can identify numbers
that provide access to computing resources within your organization. We can further
attempt to
identify the technology behind the modem and attempt to gain access by testing a limited number
of carefully chosen passwords.



3

AT&T Deliverables


AT&T will conduct the SAP as described in this Proposal. Upon completion, AT&T shall provide a re
port
containing deliverables as indicated in Table 1 below.


Table 1: Engagement Deliverables

Event

Deliverables

Report

Electronic findings document

Database

Database of all findings including custom Queries and Reports


The report will contain document
ed and detailed findings as a result of performing the service and will
convey AT&T’s opinion of how best to remedy vulnerabilities from a vendor
-
neutral perspective.


Documentation will be comprised of a Summary Report and a Detailed Report. The summary

report will
provide overview information including:




Threat rank for each host


Scored 1 through 5 representing the highest level vulnerability on that
host



Threat score for each host


Sum of all threat ratings for all vulnerabilities on each host ident
ifying
which hosts present the most risk.



Distinct Vulnerabilities


A list of the vulnerabilities occurring at least once on any host in the
network





Page
3






The detailed report will provide comprehensive information including:




Vulnerabilities by Host


Ordered
by host, vulnerabilities found on each host. This view allows the
reader to understand the threat to a particular host.



Hosts by Vulnerability


Ordered by vulnerability, hosts that exhibit a particular vulnerability. This
view allows the reader to unders
tand the hosts affected by particular vulnerability.

4

Engagement Schedule


Services described in this SOW shall start to be implemented upon Contract execution. This project will
take place in separate intervals taking approximately

12

Busine
ss Day(s) to complete.


AT&T and
Customer will jointly determine the start date for the engagement within 30 days of contract signature.
The Services provided under this SOW shall only be performed during normal business hours, defined as
Mon
day through Friday 8:00 A.M. to 5:00 P.M., local time, excluding AT&T official holidays.



AT&T Designated Holiday

Date Observed

New Year’s Day

January 1

Memorial Day

Last Monday in May

Independence Day

July 4

Labor Day

1st Monday in September

Thanks
giving Day

4th Thursday in November

Day After Thanksgiving

4th Friday in November

Christmas Day

December 25

5

Customer Responsibilities


AT&T shall solicit, obtain and/or confirm the following information from the Customer
:


(a) Provide identity and cont
act information for the Customer Project
Manager.


(b) Provide Local Site Contact name, telephone number, address, and email for both a primary a
nd backup
Local Site contact.
This is to facilitate local scheduling issues, and other Site
-
specific details.
This
information is to be provided to AT&T for each work project.


(c)
Confirmation that the Customer has performed the appropriate Site preparation activities when applicable
.


(d) Provide Customer resources on
-
site during project.


(e) Project executi
on shall be performed
during normal business hours
. The Customer shall be responsible
for making access available during this timeframe.


(f) Accept completed services utilizing the provided site acceptance form.

6

Acceptance Criteria/Approva
l


AT&T will complete and obtain Customer signature on the Acceptance document as shown in
Appendix







.





Page
4






7

Schedule of Charges


AT&T will conduct the SAP as described in this Proposal with the following parameters and pricing.


Table 2: Pro
ject Parameters

Parameter

Selection

Discovery Approach

Full Knowledge

Vulnerability Level

Probable

Address Space

256

IP Addresses

Number of Active Hosts

0

Live Hosts

Modem Detection

0

Numbers

Timeframe

8:00 A.M. to 5:00 P.M., Central time

Consultation

1 hour

Documentation

Summary, Detail reports, CD ROM



Table 3: Pricing

Component

Price

AT&T Security Assessment


Perimeter

Single Scan

$1,578


At the

conclusion of this project, AT&T shall give a project summary presentation to Customer
personnel to review the deliverables, answer questions, and provide direction for next step action
items.


8

Additional Items


(a)
All Customer locations are in the Unit
ed States.


(b)
AT&T and Customer understand that due to the nature of Service being performed, unintentional service
disruption
is

feasible even with destructive probing disabled. AT&T is not responsible for interruptions of
Customer’s network services
during
delivery

of tasks described in the Services described herein.


(c)
Agreement Enabling Expenses
-

AT&T will perform the work using tools selected by AT&T.

Any
additional hardware; software, connectivity and training expenses required by Customer (if

any) to
complete delivery of Services will be provided by Customer
.


(d)
Trav
el Time and Expenses
-

AT&T and Customer
agree that
some

engagement meetings will be
conducted using teleconference calls and all work will be executed at an AT&T or partner faci
lity unless
otherwise specified in Sections 2 and/or 3 herein. If
Customer requires AT&T or partner personnel to
travel

to perform work on or visit a Customer site, or attend a meeting with Customer
staff, standard
business expenses, (e.g., travel; food a
nd lodging) AT&T personnel incur in connection with provisioning
services under this
agreement
shall be invoiced separately
.



(e)
AT&T and Customer understand and agree that the performance of these Services, as provided in
accordance with this Agreement and SOW, may improve Customer’s security posture. These Services
can neither identify nor eliminate all risks by unauthorized or a
uthorized parties to affect Customer’s
environment.