DCS provides the knowledge, skills, abilities, staff support, and other related resources necessary to conduct the following HVA Assessment HACS services:
- Risk and Vulnerability Assessment
- Security Architecture Review
- System Security Engineering
Risk and Vulnerability Assessment (RVA)
RVAs conduct assessments of threats and vulnerabilities; determine deviations from acceptable configurations, enterprise, or local policy; assess the level of risk; and develop and/or recommend appropriate mitigation countermeasures in operational and non-operational situations. Tasks include, but are not limited to:
- Penetration Testing
- Network Mapping
- Vulnerability Scanning
- Phishing Assessment
- Wireless Assessment
- Web Application Assessment
- Operating System Security Assessment (OSSA)
- Database Assessment
Penetration Testing
DCS provides both internal and external security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. Deliverables for Penetration Testing include, but are not limited to, a Rules of Engagement document containing the type and scope of testing, and client contact details; and a Penetration Test Report that includes an executive summary, a contextualized walkthrough of technical risks, potential impact of vulnerabilities found, and vulnerability remediation options.
Knowledge and skills required for Penetration Testing include, but are not limited to:
- Knowledge of system and application security threats and vulnerabilities
- Skill in the use of social engineering techniques
- Skill in using penetration testing tools
- Knowledge of general attack stages
Network Mapping
DCS will identify assets on an agreed upon IP address space or network range(s). Deliverables for Network Mapping include but are not limited to a network map of the organization’s system that includes a visual representation of the organization’s physical devices and digital network.
Knowledge and skills required for Network Mapping include but are not limited to:
- Knowledge of network security architecture concepts including topology, protocols, components, and principles
- Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration Protocol (DHCP), domain name system, and directory services
- Ability to generate and implement capabilities to monitor organization’s network in real-time
Vulnerability Scanning
DCS will comprehensively identify IT vulnerabilities associated with agency systems that are potentially exploitable by attackers. Deliverables for vulnerability scanning include but are not limited to a Vulnerability Scanning Risk Assessment that includes an executive summary and risk assessment reports and/or dashboards.
Knowledge and skills required for Vulnerability Scanning include but are not limited to:
- Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems
- Skill in using network analysis tools to identify vulnerabilities
- Ability to identify systemic security issues based on the analysis of vulnerability and configuration data
Phishing Assessment
DCS will complete activities to evaluate the level of awareness of the agency workforce with regard to digital form of social engineering that uses authentic looking, but falsified, emails requesting information from users or direct them to a fake website that requests information. Phishing assessments can be conducted as a one-time event or as part of a larger campaign to be conducted over several months. Deliverables for a Phishing Assessment include, but are not limited to, a Phishing Assessment Report that includes an executive summary and metrics that highlight potential weaknesses in an organization’s email policy.
Knowledge and skills required for a Phishing Assessment include but are not limited to:
- Skill in the use of digital social engineering techniques
Wireless Assessment
DCS will include wireless access point detection, penetration testing, or both. A wireless assessment is performed while onsite at a customer’s facility. Deliverables for a Wireless Assessment include but are not limited to a Wireless Assessment Report that includes an executive summary, networking mapping, vulnerability analysis, and a wireless network configuration assessment on the wireless system.
Knowledge and skills required for a Wireless Assessment include but are not limited to:
- Knowledge of wireless security threats and vulnerabilities
- Skill in the use of social engineering techniques
- Knowledge of general attack stages
Web Application Assessment
DCS will provide a Web Application Assessment that includes scanning, testing, or both of outward facing web applications for defects in web service implementation that may lead to exploitable vulnerabilities. Deliverables for Web Application Assessment include but are not limited to a Web Application Assessment Report that indicates whether traditional network security tools and techniques are used to limit access to the web service to only those networks and systems that should have legitimate access.
Knowledge and skills required for a Web Application Assessment include but are not limited to:
- Knowledge of system and application security threats and vulnerabilities
- Skill in the use of social engineering techniques
- Knowledge of general attack stages
Operating System Security Assessment (OSSA)
DCS will assess the configuration of select host operating systems against standardized configuration baselines. Deliverables for OSSA include but are not limited to an OSSA Report that includes an executive summary and a vulnerability analysis.
Knowledge and skills required for OSSA include but are not limited to:
- Knowledge of organizational baselines and configuration management systems
- Knowledge of security content automation protocols (SCAP) and operating system hardening guidelines
- Ability to identify systemic security issues based on the analysis of vulnerability and configuration data
Database Assessment
DCS will assess the configuration of selected databases against configuration baselines in order to identify potential misconfigurations and/or database vulnerabilities. Deliverables for Database Assessment include but are not limited to a Database Assessment Report that includes an executive summary, privacy assessment, and vulnerability assessment.
Knowledge and skills required for a Database Assessment include but are not limited to:
- Knowledge of general attack stages (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks, etc.)
- Knowledge of database security threats and vulnerabilities
- Knowledge of relational database management systems (RDBMS)
Security Architecture Review (SAR)
A SAR evaluates a subset of the agency’s HVA security posture to determine whether the agency has properly architected its cybersecurity solutions and ensures that agency leadership fully understands the risks inherent in the implemented cybersecurity solution. The SAR process utilizes in-person interviews, documentation reviews, and leading practice evaluations of the HVA environment and supporting systems. The SAR provides a holistic analysis of how an HVA’s individual security components integrate and operate, including how data is protected during operations. Architecture strengths and findings are documented in a SAR Report.
Knowledge and skills required for a SAR include but are not limited to:
- Ability to perform architecture design reviews
- Ability to perform system configuration and log reviews
- Ability to perform network traffic analyses
System Security Engineering (SSE)
SSE identifies security vulnerabilities and minimizes or contains risks associated with these vulnerabilities spanning the Systems Development Life Cycle.
DCS provides system engineering and architectural design support services.
system engineering and architectural design support services include:
- Studies and analysis of proposed operations modifications
- Identification and documentation of alternative operations solutions
- End-to-end architecture tradeoff assessment
- Development of strategic and tactical plans
- Implementation plans and strategies
- Standards development
- Evaluation of new program requirements
- Investigation and development of new technologies for possible operations modifications