Appendix #1 - Banque de France

advertisement
RFI
Réf. : RFI penetrationTestTool_RFI
Request for Information
OI / DIT / COS
RFI (Request for Information)
Solution for Automated Penetration Tests
Page 1/8
SUMMARY
1. PURPOSE .............................................................................................3
2. INFORMATION SCOPE ........................................................................3
2.1. TECHNICAL SCOPE ........................................................................................... 3
2.1.1. Required functionalities ....................................................................... 3
2.1.2. General Features ................................................................................... 4
2.1.3. Specific Features .................................................................................. 5
2.2. OPERATIONAL SCOPE ...................................................................................... 5
3. SUBMISSION INSTRUCTIONS ............................................................5
3.1. RESPONSE PACKAGE ....................................................................................... 5
3.2. INQUIRIES ........................................................................................................... 5
4. IMPORTANT NOTES ............................................................................5
4.1. SUBMISSION PROTECTION .............................................................................. 5
4.2. COMPENSATION ................................................................................................ 6
APPENDIX #1............................................................................................7
APPENDIX #2............................................................................................8
2/8
Privacy level : Public
This Request for Information (RFI) is issued solely for information gathering and planning purposes;
this RFI does not constitute a formal solicitation for proposals. It does not obligate Banque de France
in any way.
Responses to this notice are not offers and cannot be accepted by Banque de France to form a
binding contract.
Banque de France does not intend to award a contract on the basis of this RFI or to otherwise pay for
the information solicited, nor is Banque de France obligated to issue a solicitation based on
responses received.
1. Purpose
Banque de France is seeking information on solutions to automate penetration tests that it performs
on its own Information System.
The RFI is intended to collect all the items needed to establish the general conditions under which
the automation of penetration tests can be realized according to the available technical solutions.
Answers to this RFI will allow the respondents to share their experiences and references in the
designated fields at either a national or international level and notably with other banks or
administrations.
2. Information scope
Both appendixes included in this RFI should be filled to the best extent possible. This will give Banque
de France the opportunity to use the collected information in an optimal way.
The respondents must supply all the technical, financial and legal information they deem necessary.
2.1. Technical Scope
The proposed solution must provide a framework allowing the exploitation of vulnerabilities in a
reliable manner.
2.1.1. Required functionalities
The proposed solution must have the functionalities outlined below.
Source code of vulnerability exploits:
 [E1] The solution must provide the exploits for previous and current version of commonly
used client software (such as Microsoft Windows, Office, Internet Explorer, Adobe Reader
and Flash, Oracle Java, etc.).
 [E2] The solution must provide the exploits for previous and current version of commonly
used server software (such as Microsoft Windows, IIS, SQL Server, Exchange, Apache Tomcat
Server, Jboss, IBM Websphere, Oracle Database Server, etc.).
 [E3] The solution must provide an update system in order for Banque de France to get the
last version of source code exploits addressing recent versions of both client & server
software commonly used within its Information System.
3/8
Privacy level : Public


[E4] If applicable, exploit source code must be able to bypass common software protections
(such as DEP, ASLR, HeapSpray, Canaries and so on).
[E5] Ideally the solution should provide exploit source code for French versions of the
vulnerable software when applicable.
Payload
 [P1] The solution must provide payloads allowing to:
o Collect basic information (such as: operating system, username, etc…)
o Collect advanced information (such as: ID’s located in memory and on mass storage
systems, documents containing certain patterns, etc…)
o Get a shell
o Control the target (screen + keyboard + mouse)
o Log users’ keystrokes (keylogger)
o Take screenshots
o Record sound and video through a webcam or take pictures with it
o Record sound through a microphone
o Get files hosted on the target
o Put files on the target
o Persist (The payload must allow an attacker to come back even if the target has been
rebooted)
o Be deinstalled/cleaned
o Pivot on other targets (to perform the same actions on other targets as those listed
above from another compromised system)
 [P2] The solution must provide a way to generate customized payloads in order to automate
and schedule all above actions (such as scheduling a screenshot every hour)
 [P3] The solution must provide stealthy payloads in order to avoid detection by security
components (both installed on the target or network appliances linking the solution and the
target).
Command &Control channel
 [C1] The solution must provide a reliable and stealthy way to allow communication between
the solution and the vulnerable targets.
 [C2] The solution must provide several ways to communicate with the targets (such as HTTP,
DNS, Twitter, documents, etc…)
 [C3] Ideally if the command & control channel is broken a second one should be built
automatically.
Exploit development
 [D1] The solution must allow users to modify exploits source code.
 [D2] The solution must allow users to develop new exploits.
2.1.2. General Features
The solution submitted by the company must provide all the functionalities described above. The
company must detail the modules that implement each of the expected functionalities.
The company must also submit details of all the involved costs and the licensing model. The solution
must be able to handle approx. 100 targets per year. However, the solution must be scalable enough
to cover approx. 200 targets per year at a later time.
4/8
Privacy level : Public
2.1.3. Specific Features
No specific features are required.
2.2. Operational Scope
A team of 6 persons must be able to utilize the solution simultaneously.
3. Submission Instructions
Both appendixes included at the end of this RFI should be properly filled and returned in accordance
to the 3.1 section below. The respondents could be asked to present their response orally.
3.1. Response Package
Responses to the present RFI must include the following items:
- A presentation leaflet about the company, its size, its partner companies and clients to the best
extent possible;
- The properly filled appendixes included at the end of this document.
Banque de France also accepts any document that contains relevant information related to this RFI.
It’s advisable to use the French language for the submission if possible. This is not a requirement
though.
The response packages must be sent by email to the following email address, at the latest on the 5th
of May 2014 at 2 p.m :
achats_informatiques@banque-france.fr
3.2. Inquiries
Inquiries to this RFI must be submitted by email to the following email address:
achats_informatiques@banque-france.fr
4. Important notes
4.1. Submission protection
Neither proprietary nor classified concepts or information should be included in the submittal. If
that’s not possible, the respondents must specify if the information submitted under this RFI
contains trade secrets that must be protected and not divulged.
5/8
Privacy level : Public
4.2. Compensation
Banque de France will not provide reimbursement for costs incurred in responding to this RFI.
Respondents are solely responsible for all expenses associated with responding to this RFI.
6/8
Privacy level : Public
Appendix #1
RFI Response / Solution xxxxxxxx
Section #1 – “Technical Aspects”
Please complete this form by filling all the general features that your solution addresses. For further
details, refer to section 2.1.1.
Functions
fulfilled
Not fulfilled
Variant/Differences
E1
E2
E3
E4
E5
P1
P2
P3
C1
C2
C3
D1
D2
7/8
Privacy level : Public
Appendix #2
RFI Response / Solution xxxxxxx
Section #2 – “Financial Aspects”
1 – Breakdown by items of main involved costs
Information required in this paragraph must make it possible to assess the total cost through an
analytical breakdown.
It’s advised to fully fill those sections as much as possible with detailed cost information.
The solution must be able to handle approx. 100 targets per year. However, the solution must be
scalable enough to cover approx. 200 targets per year at a later time.
2.1 – Estimate of investment costs
To fill
2.2 – Items that aid in calculating the operating costs
To fill
8/8
Privacy level : Public
Download