U -- INFORMATION SECURITY AUDITOR TRAINING

Notice Date

April 27, 2001

Contracting Office

U.S. General Accounting Office, Acquisition Management, 441 G. Street N.W., Room 6851, Washington, DC 20548

ZIP Code

20548

Response Due

May 25, 2001

Point of Contact

Robert F. Dacey, Director, Information Security Issues, 202-512-3317; Darrell L. Heim, Assistant Director, Information Security Issues, 202-512-6237; or Karen T. Gantt, Contracting Officer, 202-512-2709

E-Mail Address

Click here to submit comments or questions regarding (heimd@gao.gov)

Description

The U.S. GAO conducts information security audits at federal agencies, as one line of work among others. Such audits generally include network vulnerability assessments with attempts to gain access to agency systems, commonly referred to as "penetration testing." This work has demonstrated the importance of developing and maintaining a skilled staff to perform such audits. These staff must understand the vulnerabilities of and defenses needed for current computer and network technologies and how to assess systems for such vulnerabilities. This announcement constitutes a Request for Information (RFI) synopsis and market research. Information obtained as a result of this synopsis is for planning purposes only. It does not constitute an invitation for sealed bid or request for proposal (RFP), nor is it to be construed as a commitment by the government. GAO seeks information from private companies regarding their capability to provide training on the following topics, and existing courses and costs for such training. (1) Understanding the Technology, including networking (Local Area Networks), internetworking (Internet and Wide Area Networks), operating systems, ports and services, protocols, and dial-in modems. (2) Understanding the Problems to include information leakage, weak password controls, unpatched or outdated software, unnecessary or misconfigured services, excessive user privileges, excessive trust relationships, and inadequate logging and monitoring. (3) Types of Attacks to include denial of service, sniffing, password cracking, spoofing, buffer overflows, and social engineering. (4) Network Vulnerability Analysis to include penetration testing attack scenarios and tools and techniques. The tools and techniques are to include information gathering, standard operating system commands, port scanners, modem locators, data extraction tools, vulnerability scanners, sniffers and keyboard capture utilities, log analyzers, password crackers, and social engineering. Also, the training is to include demonstrations, and hands-on practice and exercises. (5) Defense Techniques (How to "Prevent" and "Detect") to include mitigating controls against the attack scenarios and tools and techniques described in the Network Vulnerability Analysis section. Also, to include demonstrations, and hands-on practice and exercises. In addition, GAO seeks information from responding companies that will describe their capability and process for working with GAO to develop and/or customize courses around and help refine our technical audit practice aids for auditing specific environments. These include, but are not limited to: IBM OS/390, CA-Top Secret, CA-ACF2, IBM RACF, UNIX variants, Windows NT and 2000 server, Novell NetWare 4.x and 5.x, Cisco IOS, and Cisco PIX and Checkpoint firewalls. Further, GAO seeks information from responding firms on their training facilities in the Washington, DC metro area, and/or their capability to provide the training at GAO's Headquarters in Washington, DC. Responses should be submitted to: Robert F. Dacey, Director, Information Security Issues, U.S. General Accounting Office, Room 5T37, 441 G Street, NW., Washington, DC 20548 on or before May 25, 2001.*****

Record

Loren Data Corp. 20010501/USOL007.HTM (W-117 SN50K5I2)