PHASE 1: Project Kick Off / Discovery: Work with the JAA IT team to ensure a thorough understanding of the testing parameters. 1. JAA IT will provide VLANs and IP Subnets for each separate reporting effort described in each Phase of the JAA Specifications to ensure proper segmentation of reports. 2. Coordination of Virtual Meeting(s): a. Kick-off Introduction to introduce Testing project team and JAA project team. b. Project Phase scheduling: Schedule and Identify timeline for deliverables and reoccurring status meetings c. Status updates on background checks of personnel assigned to JAA Contract and/or timeline for replacements. d. Status updates on required NDA documentation completion. PHASE 2: Scanning and Testing Both an external and internal penetration testing of JAA’s network is required with the following goals: 1. Obtain user credentials. 2. Obtain administrative user credentials or perform privilege escalation to do so. 3. Obtain access to security sensitive networks or documents in one of three categories; Physical Access Control systems, Law Enforcement systems, and Credit Card systems. 4. Identify and document exploitable vulnerabilities. Perform and document non disruptive exploits. Disruptive attacks can be performed with advance notice and coordination. 5. Document PCI Compliance to penetration testing requirements. 6. PCI specific testing must include all requirements explicitly required by PCI DSS v4.0.1 7. Respondents must acknowledge having reviewed this document and confirm that their test will comply with its guidance: https://www.pcisecuritystandards.org/documents/Penetration-Testing-Guidancev1_1.pdf?agreement=true&time=1585667122808 8. A tabletop exercise. A simulated ‘dry run’ of a hypothetical cyber security incident scenario designed to test our policies and practice them, with preference for an aviation / airport specific scenario. 9. A social engineering effort. JAA already performs routine phishing tests, so we would prefer to see some other tactic deployed such as vishing. If phishing is used it should be advanced in nature. 10. A cloud security analysis. PHASE 3: Report Writing and Wrap Up Required deliverables include a variety of different reports. All primary reports should include an overview and summary of the findings and their severity as well as information on counter measures you encountered and their effectiveness. They should also include a detailed analysis of the methodology used, a detailed step by step review of each step in the process including goals, intelligence gathering, vulnerability analysis, exploitation, post exploitation, and remediation. In short, everything needed for the reader to reproduce your efforts. Given the security sensitive nature of such a report we will also require an executive summary only version of all reports that does not include the detailed step by step documentation or any other security sensitive information such as IP addresses, etc. The deliverables required are: 1. A PCI Compliance specific report that only covers networks considered ‘in scope’ for our PCI Compliance programs. 2. A Bag Handling System specific report that covers only networks considered ‘in scope’ for BHS system. This system includes OT components which must be assessed as well. 3. An Airfield Lighting Control Management System specific report that covers only networks considered ‘in scope’ for our ALCMS system. This system includes OT components which must be assessed as well. 4. A Building Automation specific report that covers only networks considered ‘in scope’ for our Metasys system. This system includes OT components which must be assessed as well. 5. A power ,management system specific report that covers only networks considered ‘in scope’ for our Eaton Power systems. This system includes OT components which must be assessed as well. 6. A JAA Externally Hosted Websites specific report that only covers IP addresses and URL’s considered ‘in scope’ for websites hosted externally to JAA’s networks. This will require authorization from the hosting provider prior to the start of testing. 7. A report on external penetration testing that does not include items from number 5 in this section. 8. A report on internal penetration testing that does not include items from numbers 1-4 in this section. 9. A report on the tabletop exercise and any issues identified with JAA’s processes. This report does not require an executive summary version.
