HomeMy WebLinkAbout2019-2978.02John Hallqvist
jhallqvist@cyberadvisors.com
Cyber Advisors Inc.
Prepared by:
Aleksandr Chernin
achernin@columbiaheightsmn.gov
City of Columbia Heights
Prepared for:
City of Columbia Heights - Assessment Services
Quote # JH006008
Version 1
We have prepared a quote for you
Contract # 2019-2978.02
7550 Meridian Cir N #100
Maple Grove, MN 55369
www.cyberadvisors.com
(952)924-9990
City of Columbia Heights
Aleksandr Chernin
590 40th Avenue NE
Columbia Heights, MN 55421
achernin@columbiaheightsmn.gov
Dear Aleksandr,
Thursday, December 05, 2019
The need for increased cyber security is pervasive across all industries. An incident can lead to financial loss
(ransomware), damage to reputation (compromised customer/employee data), loss of productivity (downtime) and non-
compliance with regulators’ demands. Therefore, many organizations seek to understand where vulnerabilities and risk
lie within their company’s controls and request specialized help from trusted partners.
Backup and Disaster Recovery infrastructure and capabilities need to be aligned with the expectations of the
organization. Creating this alignment will provide the organization with a cohesive team response to disasters and
technology failures. Having backups and a plan for disaster recovery helps to protect the organization from natural
disasters, hardware failures, human error, and cyber crimes to ultimately help the organization serve its community.
Cyber Advisors is a local Minnesota based company who has been serving the community for more than 20 years. With
a dedicated staff of IT and Security experts, Cyber Advisors has extensive capability and experience in providing
customers with a deep understanding of where they are vulnerable and face risk, while giving guidance and
recommendations for remediation.
On behalf of the Cyber Advisors team, I appreciate the opportunity to have engaged your organization at the City of
Columbia Heights in a discussion to provide assessment services for security, backup and disaster recovery capabilities.
The provided Statement of Work (SOW) includes a detailed overview of our approach to this project.
I look forward to earning your business. If you have any questions regarding this proposal, please do not hesitate to
reach out to me directly.
Best regards,
John Hallqvist
Sr. Account Executive
Cyber Advisors Inc.
Page: 2 of 10Quote # JH006008 V. 1
7550 Meridian Cir N #100
Maple Grove, MN 55369
www.cyberadvisors.com
(952)924-9990
Statement of Work
Executive Summary:
The City of Columbia Heights has engaged with Cyber Advisors for assessment services that include security, backup
and disaster recovery, and life-cycle management. The focus of our security assessment will be on external and internal
facing devices and penetration testing, social engineering, policy review, and an assumed breach which will result in a
comprehensive document outlaying the details of our findings. The focus of our disaster recovery assessment will be on
validating and identifying requirements, and create a disaster recovery and business continuity design that meets
requirements. The focus of our lifecycle management assessment will be to review equipment that is end of life and
support, corresponding security vulnerabilities, review Solarwinds configuration and effectiveness, and to create a
lifecycle management recommendation document.
Cyber Advisors Responsibilities:
· Identify scope of project and completion date
· Serve as a contact for service delivery
· Schedule project work
· Perform the project as defined in the SOW
Customer Responsibilities
· The steps in this Statement of Work are provided to separate the project into logical tasks and provide a
guideline for the order in which the project will be performed.
· Project Managers and Project Engineers may change the order in which steps are performed as necessary to
meet customer requirements and project schedule.
· Any steps not explicitly stated in this SOW will require a change order to complete.
· Client is responsible for all licensing and billing unless explicitly stated.
· Client is responsible for any pre-approved support call purchases.
· If pertinent, client maintain support agreements for all 3rd party products for the duration of the work in this
SOW.
· If pertinent, for 3rd party support cases, the client is responsible for coordinating and scheduling the vendor
and Cyber Advisors' staff.
· Secure VPN or Bomgar access will be provided for remote work.
· A physical appliance may be deployed for remote connectivity and testing at the production site.
· Any identified active attack or critical risk will be presented to client immediately.
· All security work in this SOW requires client sign-off.
· Only reports listed in the SOW are included. Any others would require a change order.
· Client to provide timely access to all applicable buildings, closets, devices and personnel.
· No remediation work is performed in this SOW.
· No policies will be created in this SOW- only policy review will be performed.
Page: 3 of 10Quote # JH006008 V. 1
7550 Meridian Cir N #100
Maple Grove, MN 55369
www.cyberadvisors.com
(952) 924-9990
Project Scope – Various Assessments
Phase 1 - Security Assessment
Step 1 - Project Preparation
· Pre-project planning meeting
· Verify the scope of the project, define timelines, set up milestones and responsibilities for all parties
· Discuss administrative requirements to complete the work
· Obtain necessary credentials for white-box testing
· Obtain signed ‘Authorization to Test’ document
Step 2 - Perform External Security Assessments
· Perform remote external reconnaissance
· Perform enumeration of all possible external devices
· Perform vulnerability assessment of up to (40) externally facing appliances, servers, networking and
security devices
(1) Note: This assessment is a “black-box” assessment so limited documentation will be requested
(2) Systems are scanned for vulnerabilities and reviewed by security analyst for viability
(3) For each viable vulnerability found:
(a) Document threat category
(b) Determine the likelihood that a threat exploits a vulnerability
(c) Document remediation recommendation(s)
· Create report listing all devices found and their vulnerabilities, reconnaissance information and remediation
recommendations
· Information gathered to be used for penetration attempts
Step 3 - Perform Internal Security Assessments
· Perform enumeration of all possible internal devices
· Perform vulnerability assessment of up to (300) internally facing appliances, servers, networking and
security devices
(1) Note: This assessment is a “gray-box” assessment so some key documentation will be requested
(2) Systems are scanned for vulnerabilities and reviewed by security analyst for viability
(3) For each viable vulnerability found:
(a) Document threat category
(b) Determine the likelihood that a threat exploits a vulnerability
(c) Document remediation recommendation(s)
· Create report listing all devices found and their vulnerabilities, enumeration information and remediation
recommendations
· Information gathered to be used for penetration attempts
Step 4 - Perform External and Internal Penetration Testing
· We follow penetration testing methodology guidelines from PTES, OWASP and NIST
· Establish desired outcome with client
· Perform intelligence gathering through scripting and internal review
· Perform threat modeling
Page: 4 of 10Quote # JH006008 V. 1
7550 Meridian Cir N #100
Maple Grove, MN 55369
www.cyberadvisors.com
(952)924-9990
(1)Gather relevant documentation
(2)Identify and categorize primary and secondary assets
(3)Identify and categorize threats and threat communities
(4)Map threat communities against primary and secondary assets
(5)Determine exfiltration channels
· Vulnerability analysis
(1)Review risk register from vulnerability scans
(2)Perform active testing
(3)Perform passive testing
(4)Review OSINT information
· Exploitation
(1)Develop exploit plan
(2)Perform attacks applicable to environment as found in vulnerability analysis
(3)Perform execution of various payloads as necessary
(4)Unsafe checks and activities that may generate a DoS will be approved in advance
(5)At least (15) devices will be attempted in exploit plan
· Post Exploitation
(1)Provide proof of compromise and exploitability in:
(a)VPN services
(b)DNS
(c)Directory Services
(d)File systems/shares
(e)Network services (ARP tables, LLDP neighbors, etc.)
· Reporting
(1)Report will contain pentesting activities performed, applications executed and both successful and
unsuccessful exploits
(2)All reports are collected and presented together
(3)Present report/findings to Customer IT at appropriate meeting
Step 5 - Social Engineering Assessments
· Setup parameters of tests
· Identify appropriate tactics and targets
· Execute tests against userbase (onsite)
(1)Both onsite and phone tests will be performed
· Provide results to management via report
Step 6 - Perform Assumed Breach Assessments
· Note: This assessment is a “white-box” assessment and credentials will be required
· Use account obtained by client to assess basic user permissions
· Identify potentially harmful information that can be used for attacks and/or social engineering
· Assess user account permissions
· Document all findings in Assumed Breach report
Step 7 - Report Analysis and Creation
· Create the following reports/details in one package:
(1)Executive summary for security/vulnerability report
Page: 5 of 10Quote # JH006008 V. 1
7550 Meridian Cir N #100
Maple Grove, MN 55369
www.cyberadvisors.com
(952) 924-9990
(2) Risk Registry of vulnerabilities and remediation recommendations
(3) Assumed Breach report
(4) Technical review of all items touched
(5) Timeline of all activities
(6) Detailed findings of all testing methods
(7) Validation of compromise
(8) Final analysis of assessments and testing
· Present report/findings to Customer IT at appropriate meeting
Phase 2 - Disaster Recovery/Business Continuity Assessment
Step 1 - Validate Business Requirements
· Review key systems and services from IT department documentation
· Review LOB applications listing
· Review RTO and RPO values from IT department
· Review key business partners and vendors
· Document business unit locality
· Review regulatory or compliance requirements
· Review insurance requirements
· Review audit requirements
· Review existing DR and employee documents
· Create document of all DR requirements
· Present appropriate documentation to third parties, as requested
Step 2 - Identify Requirements for Disaster Recovery and Business Continuity
· Review Live Optics reporting
· Identify existing HA and DR design elements
· Document server infrastructure
· Document network topology
· Document WAN and Internet connectivity
· Document existing backup strategy
· Review existing DR plan (if any)
· Review existing BC plan (if any)
· Review previous compliance audit (if any)
· Document user base and connectivity
· Create document of DR/BC preparedness
· Provide disaster recovery plan template
· Create basic outline of business continuity plan
Step 3 - Disaster Recovery and Business Continuity Design
· Review all created documents
· Research capabilities of existing equipment
· Research capabilities of existing communication vendors
· Design DR/BC strategy to complement existing design and meet RTO/RPO
· Create BOM of required hardware and software solutions (as needed)
· Create document of DR/BC recommendations
· Present report/findings to Customer IT at appropriate meeting
Page: 6 of 10Quote # JH006008 V. 1
7550 Meridian Cir N #100
Maple Grove, MN 55369
www.cyberadvisors.com
(952) 924-9990
Phase 3 - Other Assessments
Step 1 - Lifecycle Management
· Review equipment at end of life (EOL) and end of support (EOS)
· Identify security vulnerabilities in aging equipment
· Review Solarwinds configuration and effectiveness
· Assist with budgetary review cadence plan
· Create lifecycle management recommendation document
Step 2 - Policy Review
· Document existing security policies and make recommendations
· Review Inventory Management Process
· Document security controls against NIST Cyber Security framework
Step 3 - Project Management
· Project management- provide timely updates to team
· Post-project meeting to verify the scope completed and project hours
· Present all reports:
(1) Security assessment
(2) Disaster Recovery and Business Continuity assessment
· Obtain sign-off
Step 4 - Project Meetings
· Time allocated for update meetings throughout the project at given milestones
Out of Scope
· Activities or reports not listed in the Statement of Work.
Total Services Costs:
$28,385.00 Fixed Fee
The above work will be performed on a fixed fee contractual basis, payable following mutual agreement upon and
signing of the Statement of Work. Contractual services required beyond the scope of this Statement of Work or any
other subsequently agreed upon versions of this Statement of Work will be negotiated through the Change Control
process, professional service fees may vary according to degree and scope of work. Payment for this work will be Net15
as hours are completed for service work and Net 15 for hardware and software after delivery of the product.
Cyber Advisors reserves the right to modify the engagement via a written change order process that must be mutually
agreed upon before work is performed if the SOW is signed and executed 60 days after the date of delivery of the
SOW. This change order can include changes in steps to be performed and may include an increase or decrease in
charges.
Page: 7 of 10Quote # JH006008 V. 1
7550 Meridian Cir N #100
Maple Grove, MN 55369
www.cyberadvisors.com
(952)924-9990
Important Notes: Travel charges extra and billed actual. The rate listed is for work performed M-F 8AM-5PM CST.
Anything outside these hours are billed at time and a half.
Limitation of Liability:
IN NO EVENT SHALL Cyber Advisors BE LIABLE TO CLIENT OR TO ANY THIRD PARTY FOR CONSEQUENTIAL,
SPECIAL, INDIRECT OR INCIDENTAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
SERVICES, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA OR INFORMATION OF ANY KIND WHICH CLIENT
MAY EXPERIENCE, OR FINES OR PENALTIES IMPOSED ON CLIENT FOR FAILURE TO MEET A GOVERNMENTAL
LAW, REGULATION OR REQUIREMENT FOR WHICH THE SERVICES ARE DIRECTLY OR INDIRECTLY USED BY
CLIENT. IN THE EVENT THAT THIS LIMITATION OF DAMAGES IS HELD UNENFORCEABLE, THEN THE PARTIES
AGREE THAT BY REASON OF THE DIFFICULTY IN FORSEEING POSSIBLE DAMAGES, ALL LIABILITY TO CLIENT
SHALL BE LIMITED TO ACTUAL SUMS PAID BY CLIENT UNDER THIS AGREEMENT AS LIQUIDATED DAMAGES
AND NOT AS PENALTY AND SHALL IN NO EVENT INCLUDE INCIDENTAL OR CONSEQUENTIAL DAMAGES.
Covenant:
CLIENT agrees that, while Cyber Advisors representatives are performing services under this Agreement, and for a
period of twenty-four (24) months following the termination of this Agreement, CLIENT will not, except with Cyber
Advisors prior written approval, directly or indirectly through a third party, refer for employment, solicit, or offer
employment to any representative, employee, or staff member of Cyber Advisors engaged in any efforts under this
Agreement. If CLIENT assigns or arranges for the performance of services by Cyber Advisors personnel at a third party
location, CLIENT will ensure that an Agreement that includes similar non-hire clause is entered into with the third
party.
CONFIDENTIALITY
Each party hereto shall hold in trust for the other party hereto (“Such Other Party”), and shall not disclose to any non-
party to the Agreement, any confidential information of Such Other Party. Confidential Information is information,
which relates to Such Other Party’s research, development, trade secrets, or business affairs, but does not include such
information, which is generally known or easily ascertainable by non-parties of ordinary skill in computer design and
programming. Cyber Advisors hereby acknowledges that during the performance of this Agreement, Cyber Advisors
may learn or receive confidential CLIENT information and therefore, Cyber Advisors hereby confirms that all such
information relating to CLIENT’s business will be kept confidential by Cyber Advisors, except to the extent that such
information is required to be divulged to Cyber Advisors support staff or associates in order to enable Cyber Advisors
to perform Cyber Advisors obligations under this Agreement.
INDEMNIFICATION AND LIABILITY
Cyber Advisors shall indemnify and hold CLIENT harmless from any responsibility for bodily injury and property
damage liability or loss which may arise or grow out of performance of duties under this Agreement, resulting from
negligence or willful misconduct by Cyber Advisors representatives. CLIENT shall indemnify and hold Cyber
Advisors harmless from any responsibility for bodily injury and property damage liability or loss which may arise or
grow out of performance of duties under this Agreement, resulting from negligence or willful misconduct by CLIENT.
Change Control:
Throughout this Statement of Work, assumptions have been made and stated concerning the scope of the services to be
provided. Every effort has been made to anticipate the most typical and most likely situations that will be encountered.
The pricing of these services is predicated on those stated assumptions. When work is requested that is beyond the
Page: 8 of 10Quote # JH006008 V. 1
7550 Meridian Cir N #100
Maple Grove, MN 55369
www.cyberadvisors.com
(952)924-9990
stated scope of work, a change order will be executed that reflects the additional work and its price. When additional
service is open-ended, it will be priced at the hourly rates indicated in the Terms and Conditions, Unscheduled Work
and Labor Rates section. Otherwise, it will be priced on a bid-specific basis.
Should CLIENT require any changes, they should be submitted in writing for consideration. Any change to this project
will require a new Statement of Work or the proper sign off on a Cyber Advisors Change Control form. This will outline
the changes in the scope of work and any necessary adjustments in scheduling, and or/pricing CLIENT will provide the
names of people whom have the authority to initiate Change Control. All parties are named in the Change Control
Authorization section.
Authorization:
Cyber Advisors is pleased to provide this contract to City of Columbia Heights. Signature on this agreement signifies
acceptance of both the price and the standard terms. In addition to the terms listed in this agreement, the client also
agrees to the terms of Cyber Advisors’ Master Service Agreement located
at: http://www.cyberadvisors.com/masterservice.pdf
Description Price Qty Ext. Price
Project Services
Service or project labor not to exceed a specified amount.
Security Assessment: $13,320.00
Disaster Recovery Assessment: $11,190.00
Other Assessments: $3,875
Service - Flat Rate $28,385.00 1 $28,385.00
Subtotal:$28,385.00
Page: 9 of 10Quote # JH006008 V. 1
7550 Meridian Cir N #100
Maple Grove, MN 55369
www.cyberadvisors.com
(952)924-9990
Quote Information:
Version: 1
Delivery Date: 12/05/2019
Expiration Date: 09/24/2019
Quote #: JH006008
Prepared for:Prepared by:
Cyber Advisors Inc.
John Hallqvist
(952)924-9990
jhallqvist@cyberadvisors.com
City of Columbia Heights
590 40th Avenue NE
Columbia Heights, MN 55421
Aleksandr Chernin
(763)706-3638
achernin@columbiaheightsmn.gov
City of Columbia Heights - Assessment Services
Description Amount
Quote Summary
Project Services $28,385.00
Total:$28,385.00
Taxes, shipping, handling and other fees may apply. We reserve the right to cancel orders arising from pricing or other errors.
Cyber Advisors Inc.
Signature:
Name:Aleksandr Chernin
Date:
Signature:
Name:John Hallqvist
Title:Sr. Account Executive
Date:12/05/2019
City of Columbia Heights
Page: 10 of 10Quote # JH006008 V. 1