Fakta om udbudet
Offentliggjort
25.04.2019
Udbudstype
Offentligt udbud
Udbyder
Københavns Kommune
Continuous Autonomous Attack Surface Testing service
Københavns Kommune
| Opgavebeskrivelse | Københavns Kommune (KK) is requesting proposals for a Continuous Autonomous Attack Surface Testing service of KK’s internet-exposed assets that will map KK's entire attack surface and identify KK's exposed attack vectors, to help KK’s security team to focus on and fix what’s attractive and exposed to external attackers. Contract periode; 2 years plus option to extend with 1. year. The Testing service of KK ~5,000 internet-exposed assets (IPs, Domains and Certificates) should be performed entirely externally without any deployment or integration (without the need to configure the IP ranges to scan). The Testing service should be performed as a "Black-Box" simulation of an unbiased attacker’s reconnaissance techniques to discover security risks across KK's internet facing IT infrastructure, including not only server and application vulnerabilities but also software misconfigurations, authentication and encryption weaknesses, phishing threats and other risks. There should be no impact on business continuity. The Testing service must run in a way that poses no danger to business continuity or technical operations. Access to the data collected and processed by the Testing service should be provided through a web portal and a monthly report. Each report should include a one-hour analyst finding remote review session, provided by an expert cyber-analyst. ASSET DISCOVERY The Testing service should also Identify, and map KK's unmanaged and distributed cloud-based assets deployed outside of KK's firewall. This should include assets deployed within IaaS (AWS, Azure, GCP...) and SaaS providers, as well as partner networks that are not directly monitored by KK. BUSINESS IMPORTANCE The Testing service should also categorize each asset based upon its purpose in terms of both the business and IT function. The approach should also apply predictive modeling to identify sensitive assets and data that may not be public-facing, but which could be compromised due to vulnerabilities discovered within the public-facing assets that link to them. ATTACK VECTOR DETECTION The Testing service should verify what attack vectors are available to attackers including: • Network Architecture and Encryption Flaws – Identify exposed sensitive information (e.g. exposed HTTP queries stream of an Apache server), critical assets that are accidentally exposed to external networks, unmanaged assets, abandoned environments, and platforms that communicate using insecure, easily decrypted encryption. • Insecure Software Implementation – Detect vulnerable authentication mechanisms, misconfigured applications and software components, and insecure code which allows attackers to inject malicious code or execute arbitrary commands on the organization’s assets. • Phishing Threat Intelligence – Detect potential domain name squatting and domain takeovers, spoofing, malicious websites that run waterhole attacks against the organization’s customers and employees, and exploitable communication platforms such as Email servers that allow attackers to send spoofed emails which look like they’ve been sent by the organization’s employees. • Software and Firmware Vulnerabilities – Assess the existence of known vulnerabilities in KK's web applications, servers, and infrastructure. RANKING THE RISK The Testing service should show a calculated grade of each risk discovered and rank it based on the following parameters: • Discoverability – Rates the difficulty of asset discovery from the attacker’s point of view based upon the number of discovery paths and the difficulty of those discovery paths. The Testing service should also detail the discovery path and the exposure level score for each asset. • Attractiveness to Attackers – Prioritizes certain assets that would be of interest to, for example, crime syndicates, including those that have corporate confidential information and accessibility to other critical network segments. • Business Importance and Potential Impact – Rates each asset based upon what is learned about the data stored on the particular assets as classified by the type of server. This should include recognizing and prioritizing, for example, code repositories, databases, employee directories, CMS servers, file servers, and critical gateways. • Exploitation Complexity – Assess the level of effort or skill required for the attacker to exploit a particular attack vector. For example, the availability of tools and knowledge about a particular vulnerability is used to measure complexity. Similarly, types of attacks, like “man-in-the-middle” attacks, should rank for higher complexity given the need to access the network in a particular fashion. REMEDIATION INFORMATION The Testing service should provide actionable remediation information to the discovered risks. CUSTOMERS REFERENCES Suppliers proposal shall be back up by customer references enabling KK to qualify the proposed solution. |
| Annonceret | 25. april 2019 18:00:00 CEST |
| Deadline | 3. maj 2019 00:00:00 CEST |
| Udbudstype | Mindre danske udbud |
| Opgavetype | Varekøb |
| Udbudsform | Offentligt/åbent udbud |
| CPV kode | 72000000 |
| Myndighedstype | Kommune |
Tildelings- og udvælgelseskriterier
| Tildelingskriterier | Økonomisk mest fordelagtige bud |
| Uddybning af tildelingskriterier | Proposals will be evaluated according to the following criteria: Price = 50% Quality = 50% The criteria "Quality" is evaluated as: 1) Suppliers ability to meet the requirements described in the scope (Opgavebeskrivelse) 2) Proposals that are found to meet the requirements (1) will be subject to three (3) "live tests" of the proposed solution. The live tests evaluates the complete and entire functionality of the proposed solution. |
| Udvælgelseskriterier |
Kontaktperson
| Navn | Carsten Højby Rasmussen |
| Telefon | +45 29290999 |
| k40k@kk.dk |
Ordregiver
| Navn | Københavns Kommune |
| Adresse | Borups alle 177 2400 København NV DK |
| Telefon | +45 24995967 |
| k40k@kk.dk | |
| WWW | www.kk.dk |