GEARS Cyber Security Services Catalog – Florida DMS Page i of i
GEARS Cyber-Security Services
Florida Department of Management Services Division of State Purchasing
Table of Contents Introduction ............................................................................................................................................................ 1
About GEARS ........................................................................................................................................................... 2
1. Pre-Incident Services ...................................................................................................................................... 3
1.1 Incident Response Agreements ............................................................................................................... 3
1.2 Assessments of Incident Response Capability .................................................................................. 4
1.3 Incident Response Guidance .................................................................................................................. 5
1.4 Incident Response Plans .......................................................................................................................... 5
1.5 Incident Response Training .................................................................................................................. 10
2. Post-Incident Services ................................................................................................................................. 10
2.1 Incident Response Guidance ................................................................................................................. 10
2.2 Incident Response Mitigation Plans ................................................................................................... 11
3. Applicable IT70 Labor Categories........................................................................................................... 11
GEARS Cyber-Security Services
GEARS Cyber Security Services Catalog – Florida DMS Page 1 of 11
Introduction The Florida Department of Management Services (DMS), Division of State Purchasing
(Department) provides centralized statewide contracts for use by all state agencies. DMS has
released an RFI to identify vendors under GSA Schedule 70 who are able to perform cyber-security
services listed in the table of contents.
Specifically, DMS is seeking to identify vendors that are able to provide assessment and
remediation services in the event of a cyber-security incident and provide identity protection,
identity monitoring and identity restoration services to any affected individuals under GSA
Schedule 70.
As appliances for intrusion detection get more sophisticated attack vectors will migrate more from
targeted system attacks to attacks that use comprised user credentials gained through social
engineering attacks. As in previous years, the top three affected industries continue to be Public,
Information and Financial Services. We know no industry or organization for that matter is
immune to security failures, but given the trend and resurgence of phishing and other social
engineering tactics, we see the core to strengthening organizational security lying with the human
resources. Figure 1 provides a few statistics on incidents by industry and organization size.
Figure 1. Security incidents by victim industry and organization size (from the 2015 Data Breach Investigations Report)
GEARS Cyber-Security Services
GEARS Cyber Security Services Catalog – Florida DMS Page 2 of 11
About GEARS Global Evaluation & Applied Research Solutions (GEARS) Inc. is ready to support DMS with
seasoned cyber-security specialists to provide a variety of services. The GEARS team has practical
experience assessing, advising and supporting financial institutions, large telecommunications and
wireless carriers, firms that manage large databases of information, healthcare organizations and
providers, as well as providing recommendations for risk and security management programs for
global travel management firms the, the GEARS team is poised to support the cyber-security needs
of DMS. We understand the threat level and can assess your environment, help DMS to minimize
vulnerability and raise cyber-security awareness among your staff.
Ted Ridley is a seasoned professional with extensive experience in information
technology (IT) concentrating in information assurance, vulnerability assessments,
application design and development, application and network security, program and
project management, risk analysis and management, operational and security policy planning and
development, business continuity and disaster recovery planning and strategy, and network design,
validation and implementation across various public and private industries. Having two decades
combined experience as a network engineer, network security administrator, incident response
team manager, business operations practice manager (Managing Consultant) and independent
consultant, Ted has an in-depth understanding of security issues and the associated business
impact. Ted’s breadth of experience in management, technical delivery and business process
optimization, uniquely qualifies him to work to provide comprehensive, high return on investment
(ROI) based security solutions.
For more information, please contact:
Ted Ridley, CSSLP, ECSA, CEH
Director, Information Technology Services
(301) 429-5982
www.getingears.com
GEARS Cyber-Security Services
GEARS Cyber Security Services Catalog – Florida DMS Page 3 of 11
1. Pre-Incident Services
GEARS offers a suite of Pre-Incident Services, including:
Incident Response Agreements – Creating terms and conditions in place ahead of time to
allow for quicker response in the event of a cyber-security incident.
Assessments – Evaluating a State Agency’s current state of information security and
cyber-security incident response capability.
Preparation – Providing guidance on requirements and best practices.
Developing Cyber-Security Incident Response Plans – Developing or assisting in
development of written State Agency plans for incident response in the event of a cyber-
security incident.
Training – Providing training for State Agency staff from basic user awareness to
technical education.
1.1 Incident Response Agreements Better to be safe than sorry. Let our experienced cyber security professionals draft terms and
conditions for your organizational response in the event of a cyber-security incident. The
GEARS team can support your organization when a computer security attack occurs, an
intrusion is recognized, or some other kind of computer security incident occurs. During this
critical time, having an established incident response agreement in place provides a fast and
effective means of responding.
When an incident occurs, the goal of the Information Systems Incident Response Team
(ISIRT) is to control and minimize any damage, preserve evidence, provide quick and
efficient recovery, prevent similar future events, and gain insight into threats against the
organization. At GEARS, our team is well versed on preserving chain of custody and the
techniques necessary to quickly isolate the affected devices, either remotely or via telephone
support until such time as onsite response teams can arrive. An effective Incident Response
Agreement will not only provide the organization with clear understanding of the actions that
should take place in the event of an Incident, but provide service level agreements (SLAs)
GEARS Cyber-Security Services
GEARS Cyber Security Services Catalog – Florida DMS Page 4 of 11
by which the response time and process will be governed (e.g. Isolation of affected devices
within 1 hour).
1.2 Assessments of Incident Response Capability GEARS Cyber Team Lead, Ted Ridley, has performed numerous Enterprise Security
Assessments for larger commercial organizations utilizing the ISO 27002 Enterprise Security
Architecture, NIST SP800-115, Technical Guide to Information Security and Assessment:
NIST SP800-53A, Guide for Assessing the Security Controls in Federal Information Systems
and Organizations; NIST SP800-30, Guide for Conducting Risk Assessments; and NIST
SP800-39, Managing Information Security Risk Organization, Mission, and Information
System as the guidelines for our assessment tool. Our tool provides domain based scoring of
an organization’s preparedness a capability for not only Incident Response, but for enterprise
security practices as a whole. The tool is designed such that specific domains such as Incident
Response can be evaluated individually.
Figure 2 is a representative screenshot of the section of the tool used during an incident response
assessment. Figure 2 Tool Used During an Incident Response Assessment (Representative)
GEARS Cyber-Security Services
GEARS Cyber Security Services Catalog – Florida DMS Page 5 of 11
Utilizing the guidelines noted above and the baseline tools GEARS has, we will review the
organizations policy, guidelines and procedures and develop a customized tool for
performing the Incident Response assessment.
1.3 Incident Response Guidance As previously noted, the GEARS team has notable experience providing guidance on Cyber
Security Awareness and preparedness. In that experience we have provided guidance on the
requirements and best practices for preparation. In today’s worlds of threats, it’s never known
who will discover and have the need to first report an incident. Therefore, Incident Response
preparation is an enterprise-wide effort ensuring that all staff are aware of not only how to
identify potential threats and incidents, but also how to properly report them and begin the
isolation process when necessary. Routine Security Awareness Training is at the core of
ensuring staff are prepared to recognize and respond to incidents. GEARS has experience
providing Security Awareness Training courses developed for both staff and executive level
participants. Each course is tailored specifically to the intended audience. Although a large
portion of base course content is consistent across industry, we realize that industry specific
items are critical to providing the best training experience and most useful outcome.
Therefore, we bring to bear, industry specific data in our presentation, so that, for example,
training for healthcare providers will focus on those attack vectors and most commonly
exploited vulnerabilities in the healthcare industry and not those most common to the
financial industry. In addition to industry specific data, GEARS will bring client specific data
gathered through various black box vulnerability and social engineering assessments
conducted prior to providing the training. The assessments allow our presenters the ability to
provide not only scenario based information on what to do in case of threats, but actual data
on how your team responded to threats.
1.4 Incident Response Plans As part of our experience developing Vulnerability Management Programs, the GEARS
team has worked with all levels within information technology organizations to ensure that
not only the vision and regulatory needs of the Chief Information Officer are met but the
GEARS Cyber-Security Services
GEARS Cyber Security Services Catalog – Florida DMS Page 6 of 11
practical and tactical needs of the operations teams that will be implementing the actions
from the plan are addressed as well. Having served in capacities spanning from Network
Operations Engineers to Network Operations Managers to SVP of Business Operations, our
team has the breadth of understanding the needs of various responsibilities of those
responsible for incident management. This understanding allows us to provide practical
insight and perspective in the development of Incident Response Plans (IRP). The IRP will
contain information such as actions defined for both non-IT personnel and IT personnel
responding to an incident. The IRP will discuss the steps taken during a response to an
incident. The IRP will provide contact numbers and sequencing of contact. It will not only
have language describing the steps for contacting IT and/or security and escalation through
management but a checklist to be completed and submitted as part of the documentation
trail for each incident. Examples of areas and associated actions covered by the IRP include:
The telephone contact information for the Agency 24-hour-grounds security department who
then contact the Agency IT emergency contact person or effected department contact.
The grounds security office will log:
o The name of the caller.
o Time of the call.
o Contact information about the caller.
o The nature of the incident.
o What equipment or persons were involved?
o Location of equipment or persons involved.
o How the incident was detected.
The IT staff member or affected department staff member who receives the call (or
discovered the incident) will refer to their contact list for both management personnel
to be contacted and incident response members to be contacted. The staff member will
call those designated on the list. The staff member will contact the incident response
manager using both email and phone messages while being sure other appropriate and
backup personnel and designated managers are contacted. The staff member will log
the information received in the same format as the grounds security office in the
previous step. The staff member could possibly add the following:
GEARS Cyber-Security Services
GEARS Cyber Security Services Catalog – Florida DMS Page 7 of 11
o Is the equipment affected business critical?
o What is the severity of the potential impact?
o Name of system being targeted, along with operating system, IP address,
and location.
o IP address and any information about the origin of the attack.
Contacted members of the response team will meet or discuss the situation over the
telephone and determine a response strategy.
o Is the incident real or perceived?
o Is the incident still in progress?
o What data or property is threatened and how critical is it?
o What is the impact on the business should the attack succeed? Minimal,
serious, or critical?
o What system or systems are targeted, where are they located physically and
on the network?
o Is the incident inside the trusted network?
o Is the response urgent?
o Can the incident be quickly contained?
o Will the response alert the attacker and do we care?
o What type of incident is this? Example: virus, worm, intrusion, abuse,
damage.
An incident ticket will be created. The incident will be categorized into the highest
applicable level of one of the following categories:
o Category one - A threat to public safety or life.
o Category two - A threat to sensitive data
o Category three - A threat to computer systems
o Category four - A disruption of services
Team members will establish and follow one of the following procedures basing their
response on the incident assessment:
o Worm response procedure
o Virus response procedure
o System failure procedure
GEARS Cyber-Security Services
GEARS Cyber Security Services Catalog – Florida DMS Page 8 of 11
o Active intrusion response procedure - Is critical data at risk?
o Inactive Intrusion response procedure
o System abuse procedure
o Property theft response procedure
o Website denial of service response procedure
o Database or file denial of service response procedure
o Spyware response procedure.
The team may create additional procedures that are unforeseen in this document. If
there is no applicable procedure in place, the team must document what was done and
later establish a procedure for the incident.
Team members will use tools such as Encase forensic techniques, including reviewing
system logs, looking for gaps in logs, reviewing intrusion detection logs, and
interviewing witnesses and the incident victim to determine how the incident was
caused. Only authorized personnel should be performing interviews or examining
evidence, and the authorized personnel may vary by situation and the organization.
Team members will recommend changes to prevent the occurrence from happening
again or infecting other systems.
Upon management approval, the changes will be implemented.
Team members will restore the affected system(s) to the uninfected state. They may do
any or more of the following:
o Re-install the affected system(s) from scratch and restore data from backups
if necessary. Preserve evidence before doing this.
o Make users change passwords if passwords may have been sniffed.
o Be sure the system has been hardened by turning off or uninstalling unused
services.
o Be sure the system is fully patched.
o Be sure real time virus protection and intrusion detection is running.
o Be sure the system is logging the correct events and to the proper level.
During the response and as part of the execution of the IRP the ISIRT will ensure that resulting
Incident Report captures a few critical items including the following:
GEARS Cyber-Security Services
GEARS Cyber Security Services Catalog – Florida DMS Page 9 of 11
How the incident was discovered.
The category of the incident.
Where the incident occurred (whether through email, firewall, etc.).
Source of incident (IP addresses and other information about the attacker).
Response type was implemented.
Details of the response.
Outcomes – effectiveness of response.
Additionally, the ISIRT will ensure that the necessary steps are taken to protect the
organization’s assets and position the legal counsel with all that may be required for
prosecution. In doing so, the ISIRT will manage the following tasks that support the
organization in its business continuity practices:
Evidence Preservation—make copies of logs, email, and other communication. Keep lists
of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in
case of an appeal.
Notify proper external agencies—notify the police and other appropriate agencies if
prosecution of the intruder is possible. List the agencies and contact numbers here.
Assess damage and cost—assess the damage to the organization and estimate both the
damage cost and the cost of the containment efforts.
Review response and update policies—plan and take preventative steps so the intrusion
can't happen again.
o Consider whether an additional policy could have prevented the intrusion.
o Consider whether a procedure or policy was not followed which allowed the
intrusion, and then consider what could be changed to ensure that the procedure or
policy is followed in the future.
o Was the incident response appropriate? How could it be improved?
o Was every appropriate party informed in a timely manner?
o Were the incident-response procedures detailed and did they cover the entire
situation? How can they be improved?
o Have changes been made to prevent a re-infection? Have all systems been patched,
GEARS Cyber-Security Services
GEARS Cyber Security Services Catalog – Florida DMS Page 10 of 11
systems locked down, passwords changed, anti-virus updated, email policies set,
etc.?
o Have changes been made to prevent a new and similar infection?
o Should any security policies be updated?
o What lessons have been learned from this experience?
1.5 Incident Response Training
As previously mentioned the GEARS team has developed Vulnerability Management Programs.
Staff training is a key element of establishing a strong vulnerability management framework.
Adding in robust technological appliance-based security solutions, while advantageous, will
provide a low return on investment if staff is not aware of security threats, how to identify security
threats, and how to respond to security threats. GEARS will work with DMS or other state
departments and agencies to not only create an effective IRP, but we will develop interactive and
engaging training sessions tailored for the various organizational roles and responsibilities, from
staff through leadership, designed to educate on the precepts of the IRP, increase awareness of
security threats, how to identify security threats, and how to respond to security threats. To measure
the effectiveness, once training is complete, GEARS will design social engineering exercises to
test the effectiveness of the training and the organization’s ability to respond to an Incident. A full
report on the outcome of the social engineering exercises will be provided to leadership.
2. Post-Incident Services
2.1 Incident Response Guidance GEARS will work with technical staff to assist State Agencies in providing a full response to an
incident. Utilizing the agencies IRP and leveraging our experience in incident response GEARS
will join the State Agencies ISIRT in an advisory capacity to ensure that the processes and steps
taken will result in a ticket opened with the appropriate level / category assigned, and an incident
report detailing the critical elements (How the incident was discovered; the category of the
incident; how the incident occurred, the source of the incident; detail the response; outcome of the
response – effectiveness). This information is not only critical during the response, but for the
GEARS Cyber-Security Services
GEARS Cyber Security Services Catalog – Florida DMS Page 11 of 11
Incident post-mortem discussions that will be instrumental in the continuous improvement process
of the agencies IRP.
2.2 Incident Response Mitigation Plans Based upon the information gathered through the investigation practices and response activities of
the incident as noted previously and through an understanding od organizational priorities and
critical infrastructure discussed during post-mortem meetings, the GEARS team will assist the
State Agency to develop mitigation plans to limit the exposure in future incidents. Our team
understands that no agency is going to be free of risks, but through proper planning and through
activities of continuous improvement, risk mitigation can be achieved.
3. Applicable IT70 Labor Categories The table below lists the published rates from the GEARS GSA IT 70 Catalog Labor Categories
that would be applicable in establishing an Incident Response team.
GEARS GSA IT 70 Catalog (GS 35F-0377Y) Labor Category Maximum Price Project Manager III $157.88 Security Specialist I $152.60 Security Specialist II $184.18 Security Specialist III $192.07 Disaster Recovery Specialist $184.18 Network Administrator $152.60 IT Training Specialist III $152.60
Top Related