GEARS Cyber-Security Services - DMS · GEARS Cyber Security Services Catalog – Florida DMS Page 2 of 11 . ... Developing CyberSecurity Incident Response Plans - Developing or assisting

GEARS Cyber Security Services Catalog – Florida DMS Page i of i

GEARS Cyber-Security Services

Florida Department of Management Services Division of State Purchasing

Table of Contents Introduction ............................................................................................................................................................ 1

About GEARS ........................................................................................................................................................... 2

1. Pre-Incident Services ...................................................................................................................................... 3

1.1 Incident Response Agreements ............................................................................................................... 3

1.2 Assessments of Incident Response Capability .................................................................................. 4

1.3 Incident Response Guidance .................................................................................................................. 5

1.4 Incident Response Plans .......................................................................................................................... 5

1.5 Incident Response Training .................................................................................................................. 10

2. Post-Incident Services ................................................................................................................................. 10

2.1 Incident Response Guidance ................................................................................................................. 10

2.2 Incident Response Mitigation Plans ................................................................................................... 11

3. Applicable IT70 Labor Categories........................................................................................................... 11


GEARS Cyber Security Services Catalog – Florida DMS Page 1 of 11

Introduction The Florida Department of Management Services (DMS), Division of State Purchasing

(Department) provides centralized statewide contracts for use by all state agencies. DMS has

released an RFI to identify vendors under GSA Schedule 70 who are able to perform cyber-security

services listed in the table of contents.

Specifically, DMS is seeking to identify vendors that are able to provide assessment and

remediation services in the event of a cyber-security incident and provide identity protection,

identity monitoring and identity restoration services to any affected individuals under GSA

Schedule 70.

As appliances for intrusion detection get more sophisticated attack vectors will migrate more from

targeted system attacks to attacks that use comprised user credentials gained through social

engineering attacks. As in previous years, the top three affected industries continue to be Public,

Information and Financial Services. We know no industry or organization for that matter is

immune to security failures, but given the trend and resurgence of phishing and other social

engineering tactics, we see the core to strengthening organizational security lying with the human

resources. Figure 1 provides a few statistics on incidents by industry and organization size.

Figure 1. Security incidents by victim industry and organization size (from the 2015 Data Breach Investigations Report)



About GEARS Global Evaluation & Applied Research Solutions (GEARS) Inc. is ready to support DMS with

seasoned cyber-security specialists to provide a variety of services. The GEARS team has practical

experience assessing, advising and supporting financial institutions, large telecommunications and

wireless carriers, firms that manage large databases of information, healthcare organizations and

providers, as well as providing recommendations for risk and security management programs for

global travel management firms the, the GEARS team is poised to support the cyber-security needs

of DMS. We understand the threat level and can assess your environment, help DMS to minimize

vulnerability and raise cyber-security awareness among your staff.

Ted Ridley is a seasoned professional with extensive experience in information

technology (IT) concentrating in information assurance, vulnerability assessments,

application design and development, application and network security, program and

project management, risk analysis and management, operational and security policy planning and

development, business continuity and disaster recovery planning and strategy, and network design,

validation and implementation across various public and private industries. Having two decades

combined experience as a network engineer, network security administrator, incident response

team manager, business operations practice manager (Managing Consultant) and independent

consultant, Ted has an in-depth understanding of security issues and the associated business

impact. Ted’s breadth of experience in management, technical delivery and business process

optimization, uniquely qualifies him to work to provide comprehensive, high return on investment

(ROI) based security solutions.

For more information, please contact:

Ted Ridley, CSSLP, ECSA, CEH

Director, Information Technology Services

(301) 429-5982

[email protected]

www.getingears.com



1. Pre-Incident Services

GEARS offers a suite of Pre-Incident Services, including:

Incident Response Agreements – Creating terms and conditions in place ahead of time to

allow for quicker response in the event of a cyber-security incident.

Assessments – Evaluating a State Agency’s current state of information security and

cyber-security incident response capability.

Preparation – Providing guidance on requirements and best practices.

Developing Cyber-Security Incident Response Plans – Developing or assisting in

development of written State Agency plans for incident response in the event of a cyber-

security incident.

Training – Providing training for State Agency staff from basic user awareness to

technical education.

1.1 Incident Response Agreements Better to be safe than sorry. Let our experienced cyber security professionals draft terms and

conditions for your organizational response in the event of a cyber-security incident. The

GEARS team can support your organization when a computer security attack occurs, an

intrusion is recognized, or some other kind of computer security incident occurs. During this

critical time, having an established incident response agreement in place provides a fast and

effective means of responding.

When an incident occurs, the goal of the Information Systems Incident Response Team

(ISIRT) is to control and minimize any damage, preserve evidence, provide quick and

efficient recovery, prevent similar future events, and gain insight into threats against the

organization. At GEARS, our team is well versed on preserving chain of custody and the

techniques necessary to quickly isolate the affected devices, either remotely or via telephone

support until such time as onsite response teams can arrive. An effective Incident Response

Agreement will not only provide the organization with clear understanding of the actions that

should take place in the event of an Incident, but provide service level agreements (SLAs)



by which the response time and process will be governed (e.g. Isolation of affected devices

within 1 hour).

1.2 Assessments of Incident Response Capability GEARS Cyber Team Lead, Ted Ridley, has performed numerous Enterprise Security

Assessments for larger commercial organizations utilizing the ISO 27002 Enterprise Security

Architecture, NIST SP800-115, Technical Guide to Information Security and Assessment:

NIST SP800-53A, Guide for Assessing the Security Controls in Federal Information Systems

and Organizations; NIST SP800-30, Guide for Conducting Risk Assessments; and NIST

SP800-39, Managing Information Security Risk Organization, Mission, and Information

System as the guidelines for our assessment tool. Our tool provides domain based scoring of

an organization’s preparedness a capability for not only Incident Response, but for enterprise

security practices as a whole. The tool is designed such that specific domains such as Incident

Response can be evaluated individually.

Figure 2 is a representative screenshot of the section of the tool used during an incident response

assessment. Figure 2 Tool Used During an Incident Response Assessment (Representative)



Utilizing the guidelines noted above and the baseline tools GEARS has, we will review the

organizations policy, guidelines and procedures and develop a customized tool for

performing the Incident Response assessment.

1.3 Incident Response Guidance As previously noted, the GEARS team has notable experience providing guidance on Cyber

Security Awareness and preparedness. In that experience we have provided guidance on the

requirements and best practices for preparation. In today’s worlds of threats, it’s never known

who will discover and have the need to first report an incident. Therefore, Incident Response

preparation is an enterprise-wide effort ensuring that all staff are aware of not only how to

identify potential threats and incidents, but also how to properly report them and begin the

isolation process when necessary. Routine Security Awareness Training is at the core of

ensuring staff are prepared to recognize and respond to incidents. GEARS has experience

providing Security Awareness Training courses developed for both staff and executive level

participants. Each course is tailored specifically to the intended audience. Although a large

portion of base course content is consistent across industry, we realize that industry specific

items are critical to providing the best training experience and most useful outcome.

Therefore, we bring to bear, industry specific data in our presentation, so that, for example,

training for healthcare providers will focus on those attack vectors and most commonly

exploited vulnerabilities in the healthcare industry and not those most common to the

financial industry. In addition to industry specific data, GEARS will bring client specific data

gathered through various black box vulnerability and social engineering assessments

conducted prior to providing the training. The assessments allow our presenters the ability to

provide not only scenario based information on what to do in case of threats, but actual data

on how your team responded to threats.

1.4 Incident Response Plans As part of our experience developing Vulnerability Management Programs, the GEARS

team has worked with all levels within information technology organizations to ensure that

not only the vision and regulatory needs of the Chief Information Officer are met but the



practical and tactical needs of the operations teams that will be implementing the actions

from the plan are addressed as well. Having served in capacities spanning from Network

Operations Engineers to Network Operations Managers to SVP of Business Operations, our

team has the breadth of understanding the needs of various responsibilities of those

responsible for incident management. This understanding allows us to provide practical

insight and perspective in the development of Incident Response Plans (IRP). The IRP will

contain information such as actions defined for both non-IT personnel and IT personnel

responding to an incident. The IRP will discuss the steps taken during a response to an

incident. The IRP will provide contact numbers and sequencing of contact. It will not only

have language describing the steps for contacting IT and/or security and escalation through

management but a checklist to be completed and submitted as part of the documentation

trail for each incident. Examples of areas and associated actions covered by the IRP include:

The telephone contact information for the Agency 24-hour-grounds security department who

then contact the Agency IT emergency contact person or effected department contact.

The grounds security office will log:

o The name of the caller.

o Time of the call.

o Contact information about the caller.

o The nature of the incident.

o What equipment or persons were involved?

o Location of equipment or persons involved.

o How the incident was detected.

The IT staff member or affected department staff member who receives the call (or

discovered the incident) will refer to their contact list for both management personnel

to be contacted and incident response members to be contacted. The staff member will

call those designated on the list. The staff member will contact the incident response

manager using both email and phone messages while being sure other appropriate and

backup personnel and designated managers are contacted. The staff member will log

the information received in the same format as the grounds security office in the

previous step. The staff member could possibly add the following:



o Is the equipment affected business critical?

o What is the severity of the potential impact?

o Name of system being targeted, along with operating system, IP address,

and location.

o IP address and any information about the origin of the attack.

Contacted members of the response team will meet or discuss the situation over the

telephone and determine a response strategy.

o Is the incident real or perceived?

o Is the incident still in progress?

o What data or property is threatened and how critical is it?

o What is the impact on the business should the attack succeed? Minimal,

serious, or critical?

o What system or systems are targeted, where are they located physically and

on the network?

o Is the incident inside the trusted network?

o Is the response urgent?

o Can the incident be quickly contained?

o Will the response alert the attacker and do we care?

o What type of incident is this? Example: virus, worm, intrusion, abuse,

damage.

An incident ticket will be created. The incident will be categorized into the highest

applicable level of one of the following categories:

o Category one - A threat to public safety or life.

o Category two - A threat to sensitive data

o Category three - A threat to computer systems

o Category four - A disruption of services

Team members will establish and follow one of the following procedures basing their

response on the incident assessment:

o Worm response procedure

o Virus response procedure

o System failure procedure



o Active intrusion response procedure - Is critical data at risk?

o Inactive Intrusion response procedure

o System abuse procedure

o Property theft response procedure

o Website denial of service response procedure

o Database or file denial of service response procedure

o Spyware response procedure.

The team may create additional procedures that are unforeseen in this document. If

there is no applicable procedure in place, the team must document what was done and

later establish a procedure for the incident.

Team members will use tools such as Encase forensic techniques, including reviewing

system logs, looking for gaps in logs, reviewing intrusion detection logs, and

interviewing witnesses and the incident victim to determine how the incident was

caused. Only authorized personnel should be performing interviews or examining

evidence, and the authorized personnel may vary by situation and the organization.

Team members will recommend changes to prevent the occurrence from happening

again or infecting other systems.

Upon management approval, the changes will be implemented.

Team members will restore the affected system(s) to the uninfected state. They may do

any or more of the following:

o Re-install the affected system(s) from scratch and restore data from backups

if necessary. Preserve evidence before doing this.

o Make users change passwords if passwords may have been sniffed.

o Be sure the system has been hardened by turning off or uninstalling unused

services.

o Be sure the system is fully patched.

o Be sure real time virus protection and intrusion detection is running.

o Be sure the system is logging the correct events and to the proper level.

During the response and as part of the execution of the IRP the ISIRT will ensure that resulting

Incident Report captures a few critical items including the following:



How the incident was discovered.

The category of the incident.

Where the incident occurred (whether through email, firewall, etc.).

Source of incident (IP addresses and other information about the attacker).

Response type was implemented.

Details of the response.

Outcomes – effectiveness of response.

Additionally, the ISIRT will ensure that the necessary steps are taken to protect the

organization’s assets and position the legal counsel with all that may be required for

prosecution. In doing so, the ISIRT will manage the following tasks that support the

organization in its business continuity practices:

Evidence Preservation—make copies of logs, email, and other communication. Keep lists

of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in

case of an appeal.

Notify proper external agencies—notify the police and other appropriate agencies if

prosecution of the intruder is possible. List the agencies and contact numbers here.

Assess damage and cost—assess the damage to the organization and estimate both the

damage cost and the cost of the containment efforts.

Review response and update policies—plan and take preventative steps so the intrusion

can't happen again.

o Consider whether an additional policy could have prevented the intrusion.

o Consider whether a procedure or policy was not followed which allowed the

intrusion, and then consider what could be changed to ensure that the procedure or

policy is followed in the future.

o Was the incident response appropriate? How could it be improved?

o Was every appropriate party informed in a timely manner?

o Were the incident-response procedures detailed and did they cover the entire

situation? How can they be improved?

o Have changes been made to prevent a re-infection? Have all systems been patched,



systems locked down, passwords changed, anti-virus updated, email policies set,

etc.?

o Have changes been made to prevent a new and similar infection?

o Should any security policies be updated?

o What lessons have been learned from this experience?

1.5 Incident Response Training

As previously mentioned the GEARS team has developed Vulnerability Management Programs.

Staff training is a key element of establishing a strong vulnerability management framework.

Adding in robust technological appliance-based security solutions, while advantageous, will

provide a low return on investment if staff is not aware of security threats, how to identify security

threats, and how to respond to security threats. GEARS will work with DMS or other state

departments and agencies to not only create an effective IRP, but we will develop interactive and

engaging training sessions tailored for the various organizational roles and responsibilities, from

staff through leadership, designed to educate on the precepts of the IRP, increase awareness of

security threats, how to identify security threats, and how to respond to security threats. To measure

the effectiveness, once training is complete, GEARS will design social engineering exercises to

test the effectiveness of the training and the organization’s ability to respond to an Incident. A full

report on the outcome of the social engineering exercises will be provided to leadership.

2. Post-Incident Services

2.1 Incident Response Guidance GEARS will work with technical staff to assist State Agencies in providing a full response to an

incident. Utilizing the agencies IRP and leveraging our experience in incident response GEARS

will join the State Agencies ISIRT in an advisory capacity to ensure that the processes and steps

taken will result in a ticket opened with the appropriate level / category assigned, and an incident

report detailing the critical elements (How the incident was discovered; the category of the

incident; how the incident occurred, the source of the incident; detail the response; outcome of the

response – effectiveness). This information is not only critical during the response, but for the



Incident post-mortem discussions that will be instrumental in the continuous improvement process

of the agencies IRP.

2.2 Incident Response Mitigation Plans Based upon the information gathered through the investigation practices and response activities of

the incident as noted previously and through an understanding od organizational priorities and

critical infrastructure discussed during post-mortem meetings, the GEARS team will assist the

State Agency to develop mitigation plans to limit the exposure in future incidents. Our team

understands that no agency is going to be free of risks, but through proper planning and through

activities of continuous improvement, risk mitigation can be achieved.

3. Applicable IT70 Labor Categories The table below lists the published rates from the GEARS GSA IT 70 Catalog Labor Categories

that would be applicable in establishing an Incident Response team.

GEARS GSA IT 70 Catalog (GS 35F-0377Y) Labor Category Maximum Price Project Manager III $157.88 Security Specialist I $152.60 Security Specialist II $184.18 Security Specialist III $192.07 Disaster Recovery Specialist $184.18 Network Administrator $152.60 IT Training Specialist III $152.60

Documents

GEARS Cyber-Security Services - DMS · GEARS Cyber Security Services Catalog – Florida DMS Page 2 of 11 . ... Developing CyberSecurity Incident Response Plans - Developing or assisting