Browse
Search
2024-308-E-IT Dept-Trustedsec-Penetration testing and cybersecurity consulting
OrangeCountyNC
>
Board of County Commissioners
>
Contracts and Agreements
>
General Contracts and Agreements
>
2020's
>
2024
>
2024-308-E-IT Dept-Trustedsec-Penetration testing and cybersecurity consulting
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
6/5/2024 8:42:32 AM
Creation date
6/5/2024 8:42:19 AM
Metadata
Fields
Template:
Contract
Date
5/30/2024
Contract Starting Date
5/30/2024
Contract Ending Date
5/31/2024
Contract Document Type
Contract
Amount
$21,500.00
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
41
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
Orange County North Carolina <br />TrustedSec Confidential <br /> <br /> 8 <br /> <br />Exploitation <br />The Exploitation phase is a precision-strike against a target where there is a high <br />confidence level that the attack will be successful. This phase highlights the ability to <br />circumvent the controls in place, and to gain access to unauthorized systems, facilities, or <br />information. Under no circumstances will TrustedSec perform denial-of-service (DoS) <br />activities. <br /> <br />Regarding exploitation that has the potential to cause loss of availability, TrustedSec will <br />communicate these activities prior to running any system-limiting attacks. As necessary, an <br />agreement can be negotiated to run off-hours, or perform a manual validation of the <br />exposure. TrustedSec conducts all exploitation activities with a high degree of caution prior <br />to executing these forms of attack. <br />Post-Exploitation <br />In this phase, TrustedSec will locate key systems, sensitive data, and additional exposures <br />to showcase maximum impact to the organization. The goal of this phase is to identify <br />critical or confidential information, with the likelihood of further exploitation and potential <br />exposure of that information during an attack. <br /> <br />Often, one single exposure, or a series of vulnerabilities chained together, allow for <br />TrustedSec to breach the perimeter defenses (or internal systems) and further compromise <br />systems, based on the information obtained from the compromise. All of this is <br />accomplished while avoiding detection and evading common preventative technologies <br />(such as end point protections, application whitelisting, next generation firewalls, etc.). <br /> <br />During the Post-Exploitation phase, TrustedSec will attempt to identify intellectual property, <br />personally identifiable information (PII), and regulated data. Sensitive systems will be <br />targeted, as well as users with elevated privileges, in order to gain a higher degree of <br />control within the network environment. <br />Reporting <br />The Reporting phase is by far the most important aspect of any testing activities. The ability <br />to effectively communicate how the attacks were successful, and most importantly, how to <br />mitigate them moving forward, is paramount. TrustedSec spends a great deal of time and <br />effort on this phase of the engagement. Each report is unique to the client and focuses <br />heavily on understanding the exposure, ways to reproduce the vulnerability, and the <br />recommended mitigation steps. <br /> <br />TrustedSec organizes vulnerabilities into two categories: strategic and technical. Technical <br />Findings are simply the exposure (the exploit, vulnerability, etc.) and the suggested <br />remediation steps. Strategic Recommendations are systemic exposures identified during <br />the assessment that may indicate security program deficiencies. If solely Technical Findings <br />DocuSign Envelope ID: AFDC1276-5BF5-4129-B1DC-BCD00B65C8BC
The URL can be used to link to this page
Your browser does not support the video tag.