B.1 B.

9 Rock Pile Securities, LLC Fort Wayne, Indiana 46801 Rock Pile Drive, 232 1-800-666-6666 Corey Speedy B.2 Rock Pile Securities, LLC has been not been merged acquisitioned or sold since its start. B.3 Rock Pile Securities, LLC does not hire convicted criminals. B.4 Rock Pile Securities, LLC has never been in litigation. B.5 Rock Pile Securities, LLC has never filed for bankruptcy B.6 Rock Pile Securities, LLC has never been pending a security exchange commission. B.7 Rock Pile Securities, LLC is a security services provider that includes several different clients and organizations of various sizes, including several state and federal government agencies. We demonstrate compliance with specific securityrelated regulations. B.8 B.9 B.14 B.15 Formed in 2002, Rock Pile Securities, LLC started as a small corporation with only five employees. At that time, the firms main focus was to provide a database performance tuning and security services for database applications. By 2006, the firm routinely provided complete security services, including assessments, penetration tests, policy creation, and regulatory compliance assistance. Rock Pile Securities, LLCs annual gross sales are currently 1.6 million U.S. dollars. We are now at 16 employees.

B.12 Coding will be done by a contractor. Brock Samson resides at our mailing address. He will be doing all data base coding on this contract.

B.10 B.11 B.13

C.1.2.3.4.7.8 Security Vulnerability Assessments And Pen Tests Phase I Information Sharing Phase II Pen test 1. Testing 2. Reconnaissance 3. Foot printing 4. Scanning 5. Enumerating Phase III - Evaluate source code for programming errors. Phase IV Presentation of findings. $112,500 4 weeks Cost Estimate $16,875 Timeline 1 week

$122,400 $8,225 Total = $260,000

4 weeks 3 weeks 12 weeks

Phase I: Information Sharing The State and representatives of Rockpile LLC hold three meetings with at least one day interval between each. Suggest Monday, Wednesday, Friday. During these meetings the State will answer questions on the nature of the network as they desire, to facilitate and expedite security assessment. Allocation of 3 team members for this task, at a site of the States choosing.

Phase II: Penetration testing

Penetration testing activities and cost estimate are based on assumption that State will provide little information, so as to better simulate a live attack/penetration attempt. Also assumed is that existing State security personnel will not be informed of Rockpile LLC actions. Rockpile LLC will conduct research from public information resources to determine, if possible, information to be later used during both a network breach attempt, as well as physical breaches of State facilities. Allocation of all 8 resources for this task.

Phase III: Source Code review Rockpile LLC will, with permission, subcontract State proprietary source code review to Between the Lines, Inc. Rockpile has contracted this company of 3 previous occasions with success. This corporation has offices with the State, and has no current projects with the State. They grossed $800,000 in the 12 months prior to this RFP response. They can provide references for State review upon request. Resource allocation to be determined by subcontracted corporation to meet contracted completion date.

Phase IV: Presentation of security assessment Rockpile will aggregate data from security assessment and source code review. They will provide details of their findings, and highlight the steps taken in the event a vulnerabiliity was discovered and/or exploited. Findings will be presented at a high level review, and detailed findings will be provided via document. Allocation of 4 resources for this task.

5 6 9 10 11

D 2 d.8 d.10 The first gap has it so anyone can access the network. The exposure makes it so the company cannot keep tabs of who is doing what on the network. This is important to stop people from performing malicious actions. Confidential data has to list what is prohibited. This is because data can be subjective and important data can be shared when it is not authorized to be shared. Mandatory access control is important because it specifically list who can access the data. This is helpful for ensuring data is not viewed by just anyone with power in the company. Having no content flitter for email allows anything to be spread within the company including personal information. This goes against HIPAA regulations which this company is required to follow. Weak passwords allow social engineers and hackers to gain unauthorized access to the network. User education is needed because the

company could implement changes and the users will not be educated in the changes

d.5
Acceptable use policy

1. Brainstorm with managers, it guys, and higher ups to develop the outline for the AUP, this
includes ideas of how they want their users to use the companys resources. After the initial brainstorming session, the first draft of the AUP will be developed. It will then be reviewed and revised by the top managers of each department. This will be all during the first day. 2. The AUP will be distributed to all users that use company resources. There will be an hour seminar that goes over the main points in the AUP and what it means to the user.

d.1 d.6 Task Number 1 2 5 3 4 Task Description Penetration test to find out what access there is to lock out. Phishing e-mails to determine who fills out the form. Survey for lack of user knowledge. Password crack tools to determine deficiencies or patterns. Check portable devices improper data storage Required Resources Two Personnel Two Personnel Two Personnel Three Personnel Four Personnel Cost $1,44 0 $1,44 0 $1,44 0 $2,16 0 $14,4 00 Duration (Hrs.) 16 16 16 24 160

Task one is the initial test. This will determine what access there is to lock out. This will require two of our pen testers. The cost covers the wages of the employees performing the task. The initial test will only take 8 hours per employee. Task 2 is a test of the knowledge of the users against phishing forms. The cost covers the wages of the employees performing the task. This will take one working day to perform. Task 5 is a generalized test to see what the basic user knows. The cost covers the wages of the employees performing the task. This will require one working day. Task 3 will test the strength of the passwords used on the network. The cost covers the wages of the employees performing the task. This will take one working day to perform. Task 4 is to check all portable devices for improper data storage. The cost covers the wages of the employees performing the task. This will take one working week to perform.

Task Number 1

Task Description Loss of Authentication Services Facility infiltration Database data theft

2 3

Required Resources One personnel Additional authentication server (backup) Two personnel One personnel, Two from subcontractor Review code Two personnel, Additional DBs, load-balancing, Back-up policy One personnel Additional server

Cost $3,720

Duration (Hrs.) 8

$1,110 $10,000

4 16

Database data corruption Workstation corruption/malware infection Workstation miss-use Workstation tampering

$1,440

16

$3,720

6 7

Two personnel Two personnel

$1,440 $1,440

8 8

d.9

Here is a list of risks observed and tested for during the initial pen test. This chart displays the problem how many people will be involved with each step cost, and estimated time with each risk. Below we have a summary of the risks and what will be done to reduce and remove the observed risks.

A Loss of Authentication Service can be because of Configuration error or user error, DDOS, malicious activity or improper shut-downs (either from power loss or other), can corrupt data. The solution to this problem would be additional Active Directory server will be installed as a backup AD Authentication server. Facility infiltration involved Tailgating as a common practice Training all employees about the cautions of social engineering and tailgating. The solution is to Update AUP to include practices of tailgating prevention. Database data theft can involve Data can be stolen from the database server through SQL injection. USB drives can be attached to workstations to download database entries. The solution is to Install encryption hash on USB drives handed out by company, and block all other USB devices to be connected. Limit entry keys to prevent buffer overflow. Configure to block SQL injections. Database data corruption can involve Configuration error or user error, malicious programs or improper shut-downs (either from power loss or other), can corrupt data. The solution is additional DBs provide a load balance and redundancy. Consider Revising Back-up policy to limit down-time during disaster recovery procedures. d.3.4.7 e.1.2.3.4.5.6.7.8 Privacy Data Security Gap Open to anybody that has access to the network. Confidential data should list what is prohibited. Mandatory access control for Secret and Confidential information No content filter on email system to prevent emailing an email (forwarding) containing PII. Strong complex passwords User education Expsure Explanation Cannot keep tabs on everybody. Lack of "Big Brother." Confidential data is listing do's but should also list do-not's. Data owner cannot ensure privacy protection of all individuals. Mitigation Importance Require user authentication. Important to list what is prohibited and consequences. High importance to increase security.

HIPAA requires restrictions. A weak password for user authentication can breach privacy controls to gain information. Every six months, push out User/E-mail policies and point out any points that may have

Medium importance.

High importance Low importance

been changed. The first gap has it so anyone can access the network. The exposure makes it so the company cannot keep tabs of who is doing what on the network. This is important to stop people from performing malicious actions. Confidential data has to list what is prohibited. This is because data can be subjective and important data can be shared when it is not authorized to be shared. Mandatory access control is important because it specifically list who can access the data. This is helpful for ensuring data is not viewed by just anyone with power in the company. Having no content flitter for email allows anything to be spread within the company including personal information. This goes against HIPAA regulations which this company is required to follow. Weak passwords allow social engineers and hackers to gain unauthorized access to the network. User education is needed because the company could implement changes and the users will not be educated in the changes. During Data Privacy Security Gap Analysis we discovered security gaps within the User Domain, Remote Access, Systems/Application Domain, and the LAN Domain. We have ordered our findings beginning with gaps that are cheaper and more cost effective to mitigate initially, and throughout maintenance of the security framework. We discovered that numerous users within the IT framework were using weak passwords. We defined these as passwords containing only alphanumeric characters. A trend also identified was the use of common words, such as password, secret, Yankees, and various usages of month or season and year(ex. Spring2011, May 2011). We have chosen that enforcing group policy on password complexity length, and remembrance rules within their Active Directory (AD) structure will be cost effective and relatively cheap to implement as the AD structure already exists. We also found that access to the network did not require user authentication. A cheap and easy to implement control to prevent this will be to disable Guest and Anonymous logins within the AD structure. An additional control will be to disable Guest login at the local level, and will be handled by a distributed script to be run at system start-up. During our review of the security frameworks policy on data classification we determined that the policy identifies specific process and procedures that are allowed, but does not expressly prohibit other processes and procedures. A further review and update to the data classification policy is suggested to expressly prohibit actions in regards to access, storage, or sharing of data. Tied in with this update should include a change or addition of Mandatory Access Controls to the Secret and Confidential Data Classifications. Using only Discretionary Access Controls allows for sharing of these data classes outside of policy guidelines. In keep with the effort to limit the spread of confidential and secret data, a content filter is suggested for the Exchange E-mail server. Several e-mails were found during our assessment that contained PII, and other confidential information. Content filters will help to prevent accidental transmittal of these types of data. Lastly, user education on policy, and awareness training should be implemented. During our assessment most users were unaware of policies, and also unaware of simple security measures to protect themselves and the State. Monitoring processes should also be implemented to ensure compliance with issued policies, and highlight areas where additional

or continued training may be required. Addresses RFP Requirement SOW Task 2 and Pen Test Penetration and vulnerability test SOW Task 2 SOW Task 2

Privacy Data Security Gap

Weak passwords within user omain.

Mitigation Control Group Policy in Active Directory to enforce complex passwords with history. Disable Guest and Anonymous access to network Update and review Data Classification Policy and consequences. Mandatory Access control implementation and Data Class. Std. update Content filter on Microsoft Exchange. Periodic publishing on policies and awareness training, as well as monitoring processes.

pen to anybody that has ccess to the network.

onfidential data should list hat is prohibited. ecret and Confidential ccess under discretionary ontrol o content filter on email ystem to prevent emailing n email (forwarding) ontaining PII.

SOW Task 1 and 2 SOW Task 3

sers unaware or rcumventing policies