Specifications include, but are not limited to: Testing:The selected Contractor (Contractor shall be defined as company submitting the bid) will perform external network penetration testing to identify and exploit network and host-based security vulnerabilities within the Internet-facing networked infrastructures operated by the Board of Supervisors (BOS) and Internal Services Department (ISD). This testing is to be performed by Qualified Cybersecurity Professionals (Qualified Cybersecurity Professionals shall be defined as cybersecurity professionals certified by EC Council at the level of Certified Ethical Hacker or above) utilizing various software tools that are licensed and/or authorized for use by the Contractor. At minimum, the external network penetration testing must include the following phases: •Active Host Identification (Device Discovery) - Contractor will establish a profile of Internet Protocol(“IP”)rangesprovidedbyBOS to identify active external devices, which shall be no fewer than 25 active external devices but shall not exceed a maximum of 40 active external devices. •Vulnerability Scanning - Contractor will analyze available network services and the IP stack fingerprints of all active external devices identified in the device discovery phase. •Vulnerability Validation - Contractor will attempt to validate the results of vulnerability scanning to identify (and disregard) any false-positive results and validate other positive results from automated testing. •Exploitation - After establishing an understanding of external device roles, potential trust relationships, accessible network services, and potential vulnerabilities, Contractor will attempt to gain access to target systems.
