Threat Modelling Services

for BANCO PICHINCHA

BUSINESS PROPOSAL

May 2017
Table of Contents

1 Executive Summary ........................................................................................................ 3

1.1 Project Background .................................................................................................. 3
1.2 Project Goals ........................................................................................................... 4
1.3 Proposed Services ................................................................................................... 4
1.4 Contact Information .................................................................................................. 4
2 Proposed Services Description ....................................................................................... 5
2.1 Customer-Specific Threat Intelligence Reporting...................................................... 5
2.2 Penetration Testing .................................................................................................. 5
2.3 Threat Evaluation ................................................................................................... 10
2.4 Approach................................................................................................................ 12
3 Outcome ....................................................................................................................... 13
4 Schedule and Quotation ............................................................................................... 15
5 Liability Limit ................................................................................................................. 16
6 About Kaspersky Lab.................................................................................................... 17
7 Project Team ................................................................................................................ 18

Security Assessment Services for BANCO PICHINCHA | page 2 of 19

1 Executive Summary
1.1 Project Background
A request was received from BANCO PICHINCHA, in which the governmental entity stated
an interest in threat modelling services. The services will allow BANCO PICHINCHA
(hereinafter referred to as the Customer) to reveal leaked information and compromised
resources, to find out if there are any planned or ongoing attacks, to identify security flaws in
the enterprise IT infrastructure, and to evaluate the current security posture from modern high-
profile cybersecurity threats. Results of the services can further be used to effectively plan
mitigation actions and avoid potential damage from attacks on the Customer’s corporate
network, such as unauthorized access to confidential information (e.g. trade secrets, financial
information, personal data of clients and staff), interruption of business processes, denial of
service etc.
Customer-Specific Threat Intelligence Reporting helps to recognize the best way to mount
an attack against the organization, identify routes and information, which is available to an
attacker specifically targeting the Customer and more. Our experts piece together a
comprehensive picture of your current attack status, identifying weak-spots ripe for
exploitation, and revealing evidence of past, present and planned attacks.
Penetration Testing is a practical demonstration of possible attack scenarios allowing a
malicious actor to bypass security controls in your corporate network and obtain high
privileges in important systems.
Threat Modeling
La consultoría de Threat Modeling de Kaspersky es un procedimiento para optimizar la
seguridad de la red meBANCO PICHINCHAte la identificación de objetivos y vulnerabilidades
y, a continuación, la definición de contramedidas para prevenir o mitigar los efectos de las
amenazas al sistema. En este contexto, una amenaza es un evento adverso potencial o real
que puede ser malicioso (como un ataque de denegación de servicio) o incidental (como el
fallo de un dispositivo de almacenamiento), que puede comprometer los activos de una
empresa.
La clave para modelar la amenaza es determinar dónde se debe aplicar el mayor esfuerzo
para mantener un sistema seguro. Esta es una variable que cambia a medida que nuevos
factores se desarrollan y se conocen, los diferentes sistemas se agregan, eliminan o
actualizan y los requerimientos de los usuarios evolucionan.
Threat Modeling de Kaspersky es un proceso iterativo que consiste en definir los activos
empresariales, identificar los activos más riesgosos de la empresa con la finalidad de crear
un perfil de seguridad para cada servicio, identificar amenazas potenciales, priorizar
amenazas potenciales y documentar eventos adversos y las acciones tomadas en cada uno
de los casos. Dentro del proceso evaluaremos las soluciones de seguridad actuales y
recomendaremos los cambios y/o ajustes necesarios, según las mejores prácticas de la
industria.
This document describes an approach to the Customer-Specific Threat Intelligence Reporting,
Penetration Testing and Threat Evaluation services proposed by Kaspersky Lab (hereinafter
referred to as the Service Provider) for BANCO PICHINCHA, and contains the approximate
cost estimation and the time frames of the project.

Security Assessment Services for BANCO PICHINCHA | page 3 of 19

1.2 Project Goals
The goals of the services are:
To obtain a time snapshot of an attack surface that was, is being or potentially could
be exploited by cyber-criminals for attacks against the Customer.
To obtain an independent assessment of the corporate network’s current security
posture and evaluate the effectiveness of implemented security controls.
To evaluate actual threats for the Customer’s IT infrastructure.
1.3 Proposed Services

Customer-Specific Threat Intelligence Reporting is to be provided in the form of a one-time

report, only passive and semi-passive methods will be used for analysis. The Penetration
Testing service proposed by Kaspersky Lab includes external penetration testing with social
engineering and with attack development in the internal network, internal penetration testing
from two networks in Lima, and optional onsite wireless security assessment. The services
are provided in accordance with international standards and best practices. The expected total
duration of the service is xxx business days. The cost of the service is $ xxxxx(with onsite
wireless security assessment) or $xxxxxx (without onsite wireless security assessment).

1.4 Contact Information

For further information on this proposal, please contact:
Santiago Cortez, Enterprise Sales Manager, Andean Region
Mobile: +593 999 16 01 39 | santiago.cortez@kaspersky.com

Security Assessment Services for BANCO PICHINCHA | page 4 of 19

2 Proposed Services Description
2.1 Customer-Specific Threat Intelligence Reporting
Kaspersky Lab proposes Customer-Specific Threat Intelligence Reporting service for the
Customer, including the following works:
Network Reconnaissance and Vulnerability Analysis – open-source intelligence
(OSINT) semi-passive methods are used at this stage; that is only methods that appear
like normal Internet traffic and behavior: WHOIS, inactive analysis of public Internet sites,
requests to search engines, DNS requests, etc. Among others, centralized resources to
detect available network services and their versions based on port scanning periodically
performed by these services (such as Shodan, censys.io, scans.io) are used.
Malware and Cyber-Attack Tracking Analysis – multiple Kaspersky Lab’s internal
resources are used for monitoring and tracking of actions of various malware (including
ones used by cyber-criminals for sophisticated fraud), cyber-criminal and cyber-
espionage campaigns. The following resources will be analyzed: Kaspersky Security
Network (KSN) containing about a petabyte of malicious and potentially malicious
samples, a botnet tracking system used to monitor botnet activities, Passive DNS records,
as well as C&C sinkholes for certain malware. Records on IP addresses and domain
names of victims of advance persistent threat (APT) sophisticated malware will be
analyzed separately to detect the Customer’s resources if any.
Data Leakage and Underground Activities Analysis – the Service Provider analyzes
dumps of compromised accounts that became publically available as a result of various
breaches, as well as compromised data available on various hacker forums of limited
access. Information on deals on underground forums will be checked for presence of the
Customer’s resources, clients or employees. In particular, we can reveal attempts to hire
insiders, as well as malicious insiders trying to sell access or data, discussions about
attack plans, or opened bounties (rewards) for compromising your company.
Threat analysis and report preparation. At this stage the Service Provider analyzes
threats actual for the Customer, and prepares a report containing description of threat
intelligence results and recommendations on further remediation actions.

Knowing about the weakest spots and having recommendations from Kaspersky Lab will allow
you to improve security controls and avoid possible negative impact on system from
cybercriminal attacks or insiders.

Kaspersky Threat Intelligence Reporting has no impact on the integrity and availability of the
network resources being inspected. The service is based on non-intrusive network
reconnaissance methods, and analysis of information available in open sources and resources
of limited access.

2.2 Penetration Testing

The proposed penetration testing service includes the following stages:

1. External penetration testing – security assessment from the Internet without any
preliminary knowledge of the Customer’s corporate network:
1.1. Network Perimeter Security Assessment aimed at obtaining access to the
Customer’s local area network (LAN) and including:
Passive information gathering (results of Threat Intelligence can be used)

Security Assessment Services for BANCO PICHINCHA | page 5 of 19

 Active information gathering (network discovery), including port scanning, identification
of available services and manual requests to certain services (DNS, mail)
External vulnerability scanning
Web application security analysis (using both automated and manual approaches)
aimed at identifying the following types of vulnerabilities:
- Code injection (SQL Injection, OS Commanding, etc.)
- Client-side vulnerabilities (Cross-Site Scripting, Cross-Site Request Forgery, etc.)
- Flaws in authentication and authorization
- Insecure data storage
- Other web application vulnerabilities leading to the threats listed in WASC Threat
Classification v2.0 and OWASP Top Ten
Manual vulnerability analysis, including identification of resources without
authentication, important publically available information, insufficient access control
Credentials guessing
Social engineering testing (testing scenarios and target users to be negotiated with the
Customer)
Exploitation of one or more of the vulnerabilities found and privilege escalation (if
possible)
Attack development using obtained privileges using the techniques listed above until
the Service Provider gets access to the LAN or all available attack methods at the time
of testing are exhausted
1.2. Attack Development inside the LAN, aimed at obtaining high privileges in important
systems (this service is performed if access to the LAN was successfully obtained);
the following tests may be performed at this stage (depending on obtained privilege
level and related risks):
Active information gathering (network discovery), including port scanning and
identification of available network services
Network traffic analysis
Performing active or passive attacks aimed at network traffic redirection and
interception (ARP Spoofing, NBNS Spoofing, etc.)
Internal vulnerability scanning
Web application security analysis (using both automated and manual approaches)
aimed at identifying the following types of vulnerabilities:
- Code injection (SQL Injection, OS Commanding, etc.)
- Client-side vulnerabilities (Cross-Site Scripting, Cross-Site Request Forgery, etc.)
- Flaws in authentication and authorization
- Insecure data storage
- Other web application vulnerabilities leading to the threats listed in WASC Threat
Classification v2.0 and OWASP Top Ten
Manual vulnerability analysis, including identification of resources without
authentication, important information that is publicly available, insufficient access
control
Credentials guessing
Exploitation of one or more vulnerabilities found and privilege escalation (if possible)

Security Assessment Services for BANCO PICHINCHA | page 6 of 19

 Attack development using obtained privileges using the techniques listed above until
the Service Provider gets access to one or more important network resources (e.g.
Active Directory domain controller, core banking, ATM network, business systems,
DBMSes, etc.) or until all available attack methods at the time of testing are exhausted
2. Internal Penetration Testing – security assessment on behalf of an internal attacker that
aims to obtain high privileges in the Customer’s critical systems. The testing is performed
remotely via VPN or onsite at the Customer’s offices (two locations in Lima) and may
include the following tests (depending on the privilege level obtained and related risks):
Connection to the LAN (including NAC bypass if necessary)
Active information gathering (network discovery), including port scanning and
identification of available network services
Network traffic analysis
Active or passive attacks aimed at redirecting and intercepting network traffic (ARP
Spoofing, NBNS Spoofing, etc.)
Internal vulnerability scanning
Web application security analysis (using both automated and manual approaches)
aimed at identifying the following types of vulnerabilities:
- Code injection (SQL Injection, OS Commanding, etc.)
- Client-side vulnerabilities (Cross-Site Scripting, Cross-Site Request Forgery, etc.)
- Flaws in authentication and authorization
- Insecure data storage
- Other web application vulnerabilities leading to the threats listed in WASC Threat
Classification v2.0 and OWASP Top Ten
Credentials guessing (including online and offline password brute force)
Exploitation of one or more of the vulnerabilities found and privilege escalation (if
possible)
Attack development with obtained privileges using the techniques listed above until the
Service Provider gets access to one or more important network resources (e.g. Active
Directory domain controller, core banking, ATM network, business systems, DBMSes,
etc.) until all available attack methods at the time of testing are exhausted
3. Wireless Networks Security Assessment – analysis of WiFi networks aimed at detection
of security flaws in WiFi access points and client devices for 2, 4 and 5 GHz with
802.11a/b/g/n/ac technologies, together with flaws in architecture and wireless access
networking. Testing is performed onsite at the Customer’s offices (two locations in Lima).
The Service Provider conducts black-box security assessment of wireless networks
including the following checks:
Detection of access points connected to the Customer’s LAN without authorization
Detection of access points with configuration security flaws (including absent or weak
encryption)
Detection of unauthorized connections to wireless networks
Detection of security flaws in client wireless devices

Knowledge of security flaws and recommendations from Kaspersky Lab will allow you to fix
vulnerabilities and avoid possible negative impact on the IT infrastructure from hacker attacks
or insiders.

Security Assessment Services for BANCO PICHINCHA | page 7 of 19

Penetration testing has much in common with a real hacker attack and makes it possible to
assess the effectiveness of protection measures on practice. However, unlike a hacker attack,
the service is performed by experienced security experts from Kaspersky Lab who take
particular care of system confidentiality, integrity and availability in strict adherence to the
following international standards and best practices:
Payment Card Industry Data Security Standard (PCI DSS)
Penetration Testing Execution Standard (PTES)
NIST Special Publications 800-115 Technical Guide to Information Security Testing
and Assessment
Open Source Security Testing Methodology Manual (OSSTMM)
Information Systems Security Assessment Framework (ISSAF)
Web Application Security Consortium (WASC) Threat Classification
Open Web Application Security Project (OWASP) Testing Guide
Common Vulnerability Scoring System (CVSS)
And other standards, depending on your organization’s business and location

The analysis is performed using automated tools and manually by experts. The following
security assessment tools will be used:
Information gathering tools (Maltego, theHarvester and others)
Various general-purpose and specialized scanners (NMap, MaxPatrol, Nessus, Acunetics
WVS, nbtscan and others)
Complex security assessment solutions (Kali Linux)
Credentials guessing tools (Hydra, ncrack, Bruter, and others)
Specialized solutions for web application security assessment (OWASP dirbuster,
BurpSuite, ProxyStrike, various plug-ins for Mozilla Firefox)
Network traffic analyzers (Wireshark, Cain and Abel)
Credentials extraction and management tools (Mimikatz, WCE, pwdump and others)
Specialized tools for various types of attacks (Yersinia, Loki, Responder, SIPVicious and
others)
And others, including limited access exploits and custom exploitation tools developed by
the Service Provider

Upon request of the Customer, full results of Threat Intelligence could be used for Penetration
Testing (for example, found compromised accounts could be included into dictionaries for
credentials guessing attacks).

By following the approach described above the Service Provider will be able to reveal the
following types of vulnerabilities:
Vulnerable network architecture, insufficient network protection
Vulnerabilities leading to network traffic interception and redirection
Insufficient authentication and authorization in various services
Weak user credentials
Configuration flaws, including excessive user privileges

Security Assessment Services for BANCO PICHINCHA | page 8 of 19

 Vulnerabilities caused by errors in application code (code injections, path traversal, client-
side vulnerabilities and other application vulnerabilities including those leading to the
threats listed in OWASP Top Ten and WASC Threat Classification)
Vulnerabilities caused by use of outdated hardware and software versions without the
latest security updates
Information disclosure
Insufficient staff awareness of information security

For penetration testing to be legal and safe, the Customer shall provide a point of contact (a
representative) for all communications on the project, including scope negotiations, resolving
access issues, as well as providing confirmations for active works. The representative must
be an official Customer’s employee using an e-mail address belonging to the Customer’s
domain name (not a third-party intermediary).

4. Application security assessment service

The application security assessment service by Kaspersky Lab will allow you to get
information about various vulnerabilities existing in your applications and plan further actions
to mitigate the corresponding security risks. Our experts will use their practical experience and
international best practices to detect security flaws leading to such threats as:
Obtaining unauthorized access to the application or its backend components, including
an ability to get confidential data, modify information, or perform various fraud actions
Performing attacks against application clients and obtaining access to the application
under their accounts
Obtaining important information to plan further attacks

Knowing about security flaws and having recommendations from Kaspersky Lab will allow you
to fix the vulnerabilities and avoid possible negative impact on the applications from hacker
attacks or insiders.

Approach and Methodology

For application security assessment our experts will use black-box approach:
Black-box – assessment without user credentials to reveal vulnerabilities available for an
external attacker without any privileges.

Security assessment is performed in accordance with Kaspersky Lab’s own methodology

based on international standards and best practices, such as standards and guidelines
provided by:
Open Web Application Security Project (OWASP)
Web Application Security Consortium (WASC)

The analysis is performed both using automated tools and manually by experts. The following
main security assessment tools will be used:
Various general-purpose and specialized application scanners (Nessus, Acunetics WVS,
NMap, and others)

Security Assessment Services for BANCO PICHINCHA | page 9 of 19

 Specialized solutions for application security assessment (OWASP dirbuster, BurpSuite,
ProxyStrike, various plug-ins for Mozilla Firefox)
Complex security assessment solutions (Kali Linux)
And others

Threat Modelling
Pasos a seguir durante la consultoría:
- Identificar objetivos de seguridad
- Examinar los servicios críticos ligados al core de la organización.
- Descomponer la cadena de servicios
- Identificar las amenazas y los diferentes actores y/o posibles actores
- Identificar Vulnerabilidades y falencias en el sistema de seguridad.
- Ejecutar un Ethical Hacking a profundidad para identificar
- Ejecutar un análisis de inteligencia profundo de los sistemas especializados y las
bases de datos de Kaspersky Lab.
- En un proceso de entrevistas al personal clave de la organización definiremos el
objetivo de la empresa alineado con los objetivos de seguridad. La visión de la
organización debe estar alineado a la estrategia de seguridad de la información,
apoyada con servicios de inteligencia de amenazas, ciberseguridad y
ciberinteligencia.

Identificar los objetivos de seguridad:

Identidad: ¿El servicio protege la identidad del usuario del abuso? ¿Existen controles
adecuados para asegurar evidencia de identidad (como se requiere para muchas
aplicaciones bancarias?)
Financiero: evalúe el nivel de riesgo que la organización está preparada para absorber
en la remediación, como una posible pérdida financiera.
Reputación: Cuantificar o estimar la pérdida de reputación derivada de la aplicación
mal utilizada o atacada con éxito.
Privacidad y Regulación: ¿Hasta qué punto la aplicación tendrá que proteger los datos
de los usuarios?
Garantías de Disponibilidad: ¿Es necesario que la aplicación esté disponible por un
Contrato de Nivel de Servicio (SLA) o una garantía similar? ¿Es una infraestructura
protegida a nivel nacional? ¿A qué nivel debe estar disponible la aplicación? Las
técnicas de alta disponibilidad son significativamente más caras, por lo que aplicar los
controles correctos de antemano ahorrará mucho tiempo, recursos y dinero.
Posibles atacantes y vectores de ataque:
Es importante tener en cuenta que se necesita un atacante motivado para explotar
una amenaza. Para comprender las amenazas relevantes, se utiliza las siguientes
categorías para comprender quién podría atacar el servicio:
Descubrimiento accidental: Un usuario común tropieza con un error funcional en su
servicio, simplemente usando un navegador web y obtiene acceso a información
privilegiada o funcionalidad.

Security Assessment Services for BANCO PICHINCHA | page 10 of 19

Malware automatizado: programas o secuencias de comandos que están buscando
vulnerabilidades conocidas y, a continuación, informan de ello a un sitio central de
recopilación.
El curioso atacante: un investigador de seguridad o usuario común, que nota algo mal
con la aplicación, y decide seguir adelante.
Cybermercenarios: atacantes independientes u organizados que se venden al mejor
postor. Potencialmente, un miembro del personal descontento con conocimiento
interno o un atacante profesional pagado.
Script Kiddies: renegados comunes, que buscan comprometer o desfigurar
aplicaciones para obtener ganancias colaterales, notoriedad o una agenda política.
Cyber Criminales: Los criminales que buscan altas ganancias, tales como cracking e-
commerce o aplicaciones de banca corporativa, para obtener ganancias financieras.
Naciones y estados: Motivados por información y espionaje.
Hacktivistas: organizaciones que buscan venganza, muchas veces motivados por
ideologías y venganza.
Es vital para entender el nivel de atacante que está defendiendo contra. Por ejemplo,
un atacante motivado, que entiende sus procesos internos, es a menudo más
peligroso que el script kiddies.
Definir la matriz de riesgo:

Actor / Atacante Probabilidad Impacto

Gobiernos Extranjeros y/o Alta Alto

Agencias Gubernamentales

Cibermercenarios Alta Alto

Insiders Media Alto

Hacktivistas Media Medio

Venganza Personal Baja Medio

Script Kiddies Baja Bajo

Servicios de Threat Hunting. Consultoría de cacería de atacantes en la

red

¿Cuál es la mejor manera de montar un ataque contra su organización? ¿Qué rutas y

qué información se encuentra disponible para que un atacante se dirija
específicamente hacia usted? ¿Ya se ha montado un ataque, o está a punto de ser
amenazado?

El servicio de Threat Hunting responde a estas preguntas y más, ya que nuestros

expertos juntan una imagen completa de su situación de actual sobre ataques,

Security Assessment Services for BANCO PICHINCHA | page 11 of 19

 identificando puntos débiles que están listos para ser explotados y revelando
evidencias de ataques pasados, presentes y planeados.

Potenciado por esta visión única, puede enfocar su estrategia de defensa en áreas
identificadas como los principales objetivos de los Ciberdelincuentes, actuando con
rapidez y precisión para repeler a los intrusos y minimizar el riesgo de un ataque
exitoso.

Con el uso de IOCs, Reglas YARA y el personal del equipo de investigación y análisis
de Kaspersky Lab se realizará un escaneo exhaustivo en toda la red, con la finalidad
de verificar posibles equipos, servidores, controladores de dominio, comprometidos.

 Approach

The confidentiality, integrity and availability of your IR resources are our top priority.
Kaspersky Lab’s experts will take all necessary precautions to avoid any harm to your
environment. All sensitive technical information related to the project (important data,
credentials, assessment results, etc.) will be stored and transferred using strong encryption,
and can be deleted upon your request after project completion.

The project team members are experienced professionals in security assessment with
deep knowledge of this field and are constantly improving their skills (see section 9 for
description of the project team).

Security Assessment Services for BANCO PICHINCHA | page 12 of 19

5. Outcome
Under Customer-Specific Threat Intelligence Reporting service, the Customer will obtain
a report containing description of actual notable threats related to the Customer, as well as
additional information on detailed technical analysis results. The report includes the following
information:
Executive summary – brief description of the revealed vulnerabilities, threats, traces
of compromise, as well as current cybercriminal and cyberespionage activity against
the Customer’s assets.
Detailed description – in-depth analysis of the threat intelligence data, description of
potential vulnerabilities, possible attack sources, information on malware targeting
your organization (if any), leaked confidential documents, underground forums data
analysis, etc.
Remediation recommendations – the report will suggest steps to mitigate
consequences of the critical vulnerabilities or ongoing cyber-attacks and protect your
resources from actual security threats

As a result of the Penetration Testing service, BANCO PICHINCHA will obtain a report
containing the following:
Conclusions on the current security posture of the analyzed resources (including
description of possible threats)
Description of the project scope
Description of the methodologies and tools used
Description of the vulnerabilities found, information about their severity levels, exploitation
conditions and complexity, and related impact
Demonstration of vulnerability exploitation (for the most critical vulnerabilities)
Recommendations on the elimination of vulnerabilities or implementation of compensating
controls
A resulting list of detected vulnerabilities and corresponding recommendations

By following the approach described above Kaspersky Lab will be able to reveal the following
types of vulnerabilities in your applications:
Absent or insufficient authentication and authorization
Code injection (SQL Injection, OS Commanding, etc.)
Vulnerabilities in the applications’ logic, which could be used for fraud
Mistakes in the implementation of application functions available to a user
Vulnerabilities leading to direct access to system objects (Path Traversal, etc.)
Client-side vulnerabilities (Cross-Site Scripting, Cross-Site Request Forgery, etc.)
Insecure data storage, including lack of encryption
Insufficient entropy of important parameters, such as session identifiers or one-time
passwords, leading to possible guessing by an attacker

Security Assessment Services for BANCO PICHINCHA | page 13 of 19

 Information disclosure, including information about the specifics of application functions’
implementation and program components used, as well as other information that can be
used by an intruder to develop an attack
Improper configuration of an operating system, a web server, and other components
And other application vulnerabilities including ones leading to the threats listed in WASC
Threat Classification v2.0 and OWASP Top Ten

As a result of the project the Customer will obtain a report (BANCO PICHINCHA Application
Security Assessment Report”) containing the following:
Conclusions on the current security posture of the analyzed applications (including
description of possible threats)
Description of the project scope
Description of the methodologies and tools used
Description of the found vulnerabilities, information about their severity levels, exploitation
conditions and complexity, and related impact
Demonstration of vulnerabilities exploitation (for the most critical ones)
Recommendations on elimination of vulnerabilities or implementing compensative controls
A resulting list of detected vulnerabilities and corresponding recommendations for every
application

Reports are delivered via encrypted email messages.

As a result, the Threat Modelling service by Kaspersky Lab provides you with an independent
assessment of the current IT infrastructure’s security posture and evaluates the effectiveness
of implemented security controls.

Security Assessment Services for BANCO PICHINCHA | page 14 of 19

6. Schedule and Quotation
The expected total duration of the service is 106 business days. The cost of the service is
$xxxxxxxx (with onsite wireless security assessment) or $xxxxxxxx (without onsite wireless
security assessment).

Proposed service time frames are provided in the table below.

# Duration1,
Stage/work
business days
1 Threat Intelligence Reporting (performed independently from
penetration testing)
2 External penetration testing
2.1 External penetration testing (with social engineering)
2.2 External penetration testing – Attack Development (in case of
successful penetration)
2.4 Internal penetration testing (remote via VPN)
2.5 Wireless security assessment in two locations in Bogot[a (optional,
performed simultaneously with internal penetration testing)
2.6 Penetration Testing Report preparation and negotiation
3 Threat Evaluation
Total:

1 The estimated project duration is preliminary and does not include time taken by the Customer’s actions (delays
in providing confirmations for activities, delays in providing or restoring access, delays in scope and report
negotiations, etc., see section 7 for Liability Limit). The project start date must be negotiated with the Service
Provider individually.

Security Assessment Services for BANCO PICHINCHA | page 15 of 19

7. Liability Limit
The Service Provider assumes the commitment to take all reasonable precautions in order not
to impede correct functioning of the Customer’s network resources.

Actions which may lead to a denial of service shall be preliminarily negotiated with a Customer
representative. Such actions shall be conducted on condition of the onsite presence of a
Customer’s employee responsible for the project. If any hardware or software failures occur
during testing, the Service Provider shall inform the Customer about the incident and provide
advisory help in its elimination.

By agreeing to the execution of the work, the Customer accepts the risk of possible negative
consequences of the tests. Due to the fact that some tests completely simulate malicious
attacks, the Customer assumes the obligation to resolve potential disputes related to claims
by Internet service providers or any other legal entities and individuals against the Service
Provider.

The Customer is aware that during penetration testing, availability of services and applications
may be reduced and stored data may be partially modified. The Customer assumes a
commitment to settle potential problems arising in this connection, and shall not bring any
claims against the Service Provider for these reasons.

In the event of organizational or technical issues arise which hamper the testing process,
including ones caused by absent written confirmations from the Customer for certain activities
as requested by the Service Provider, and ones caused by prevention security systems (lack
of network access to the tested resources, blocking of the Service Provider’s IP addresses or
accounts etc.), the Customer shall resolve the issues in case if the problem is on the
Customer’s side. In such cases, the corresponding attack vectors are not considered during
further testing (if the problem is not solved within one business day), or the project schedule
and entire project duration are postponed for the duration of delay in communications or
access.
The Customer understands that the purpose of the penetration testing service is to bypass
security controls and obtain high privileges in important systems. Vulnerability identification
and exploitation are performed to the extent to achieve this goal. If at least one attack vector
used by the Service Provider leads to high privileges, the service goal is considered to be
achieved. When the attack vector is found, the search for other vulnerabilities (including those
that cannot be used for the purpose of further attack development within the scope of the
service) and attack vectors will only be performed if the Service Provider confirms the
availability of staff resources for these tests.

Security Assessment Services for BANCO PICHINCHA | page 16 of 19

8. About Kaspersky Lab
Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates
in almost 200 countries and territories across the globe, providing protection for over 400
million users worldwide. Kaspersky Lab is the world’s largest privately held vendor of endpoint
protection solutions. The company is ranked among the world’s top four vendors of security
solutions for endpoint users. Throughout its more than 19-year history Kaspersky Lab has
remained an innovator in IT security and provides effective digital security solutions for large
enterprises, SMBs and consumers.
Undoubtedly, the company’s most valuable asset is the wealth of expertise – including
vulnerabilities and malware research, counteracting potentially dangerous applications, traffic
filters, etc. – that it has gained over those years of combating major IT threats. This helps the
company to remain one step ahead of the competition and provide its users with the most
reliable protection against new types of attack.

Utilizing the company’s advanced threat and malware research, analysis and investigation,
Kaspersky Lab has discovered some of the top advanced persistent threats:

Kaspersky Lab utilizes advanced threats analysis, forensics and investigation to help
enterprise customers protect their online services and reputation.
Learn more at www.kaspersky.com.

Security Assessment Services for BANCO PICHINCHA | page 17 of 19

9. Project Team
In the table below you can find brief descriptions of the proposed project team members.

Name Job Title Description

Alexander Head of Alexander leads the penetration testing team, he has over 10
Zaitsev Penetration Testing years of experience in practical information security, including
technological audits, penetration testing, social engineering
assessments, reverse engineering, applications
assessments. Alexander has been performing security
research in different areas and presented research results on
major international security conferences (Black Hat USA,
Power of Community, Positive Hack Days and others).
Gleb Gritsai Head of Security Gleb leads the security research team and has over 10 years
Services Research of experience in practical security from infrastructure
assessments to embedded assessments (hardware security,
application security) including ICS used in various industries.
Gleb has been performing security research in different areas
and presented research results on major international security
conferences (CCC, Power of Community, Positive Hack Days
and others).
Dmitry Director, Global In addition to overseeing anti-malware research and analysis
Bestuzhev Research & work, Dmitry produces reports and forecasts for the region
Analysis Team, and is frequently sought out by international media and
Latin America organizations for his expert commentary on IT security.
Dmitry’s wide field of expertise covers everything from online
fraud, through to the use of social networking sites by
cybercriminals. Dmitry is also an expert in corporate security,
cyber espionage and complex targeted attacks and
participates in various educational initiatives throughout the
Americas. Dmitry has more than 16 years of experience in IT
security across a wide variety of roles.
Alexey Osipov Leading Alexey provides penetration testing and security
Penetration Testing assessements of various types of systems, including
Specialist telecommunication networks security, ATM/POS security,
business applications security. Alexey performs security
research and publishes reports and articles related to
information security (including talks at international
conferences BlackHat Europe 2013-2014, NoSuchCon 2013,
HackInParis 2015, BlackHat USA 2015, Nuit Du Hack 2016,
Hack In The Box Singapore 2016, CCC 2016).
Alexander Head of ICS Alexander leads the ICS security group. He has deep
Timorin Security Group knowledge and experience in penetration testing and ICS
security assessment with high and low level approach.
Alexander gave talks at different international security
conferences, such as Confidence, Hack.lu, CodeBlue, CCC,
Power of Community etc. He has found zero day
vulnerabilities in ICS hardware and software of popular
vendors.

Security Assessment Services for BANCO PICHINCHA | page 18 of 19

 Name Job Title Description
Artem Penetration Testing Artem provides complex, technological and socio-technical
Kondratenko Specialist penetration testing. He has participated in over 20 security
assessment projects.
Offensive Security Certified Professional – OSCP
Eugenie Head of Security Eugenie provides penetration testing, as well as high-level
Potseluevskaya Services Analysis security assessment (BIA) based on technical security
assessment results. She has over 10 years of experience in
information security.
Certified Information Systems Security Professional – CISSP
Certified Information Systems Auditor – CISA
Offensive Security Certified Professional – OSCP
Anna Breeva Penetration Testing Anna provides complex, technological and socio-technical
Specialist penetration testing. She has participated in over 20 security
assessment projects.
Offensive Security Certified Professional – OSCP

Security Assessment Services for BANCO PICHINCHA | page 19 of 19