Vulnerability Assessment & Penetration Testing (VAPT)
Overview
The VAPT program identifies security vulnerabilities in the systems, networks, and applications of critical government agencies. So far, VAPT has been conducted
on 2,246 web applications, servers, network devices, and mobile applications
across 32 government institutions, resulting in 51 reports.
Server VAPT
Vulnerability assessment and penetration test on server operating system.
This is a black box test which doesn’t require user credential and this test will identify possible installed services,
running services, open ports, service version detection, network communications, patch information etc
Website VAPT
Vulnerability assessment and penetration test on website to detect possible vulnerabilities.
This VAPT doesn’t require user credential. This test will identify web technologies and versions, SQL injection,
Cross-site scripting, Unrestricted file upload, Web backdoor, Directory traversal etc.
Note: Each unique sub-domain will consider as domain.
Web Application VAPT
Vulnerability assessment and penetration test on web application to detect possible vulnerabilities.
This test may require web application user credential to conduct vulnerability assessment to detect SQL injection,
Cross-site scripting, Unrestricted file upload, Local or remote file inclusion, Authentication bypass, Misconfiguration etc.
Note: Each unique sub-domain will consider as domain.
Incident Response
BGD e-GOV CIRT will receive information regarding cyber security incidents, triage incidents and coordinate response.
When a cybersecurity incident or problem is reported from an organization, the CIRT team responds quickly and effectively to
mitigate damage, control threats, and restore normal operations.Possible activities related to incident handling include but not limited to:
- Incident analysis and evidence collection.
- Coordinating and managing the response to cybersecurity incidents to minimize damage and recover systems quickly.
- Providing technical assistance and support to affected organizations during and after an incident.
- Performing post-incident reviews to learn from incidents and improve future response capabilities.
- Documenting and reporting on incidents to share lessons learned and improve overall cybersecurity awareness.
IT Audit & Risk Assessment
Overview
IT audits are conducted to identify vulnerabilities in the
information technology systems of important organizations, ensuring their
cybersecurity. To date, 35 IT audits have been completed in government
institutions, and reports have been submitted. Following are the main activities by IT Audit & Risk Assessment team
- Doing Risk assessment for Organization
- Training on Basic Risk Assessment
- Training on Advanced Risk Assessment
- Doing Audit assessment for Organization
- Training on Basic Information Security and Process Audit (Without Global Certification)
Service Flowchart
Digital Forensics
The Digital Forensics Lab at BGD e-GOV CIRT offers essential digital forensic services related to cyber incidents for various
government, private, and law enforcement agencies. This service conducts digital forensic investigations to identify the root cause of incidents, gather evidence, and support legal
proceedings if necessary. Analyzing malware and other malicious activities to understand their behavior and develop mitigation strategies.
Activities include but not limited to:
Computer Forensic
- Duration: Min 5 working days / case
- Evidence Detection
- Evidence Acquisition
- Evidence Analysis/Examination
- Documenting and Reporting
Mobile Forensic
- Duration: Min 7 working days / case
- Evidence Detection
- Evidence Acquisition
- Evidence Analysis/Examination
- Documenting and Reporting
Forensic Support Service
- Duration: Min 2 MAN days
- On premise Forensic Technical Support
- Technical support on Forensic Data Acquisition
- Technical support on Forensic Data Analysis & Reporting
- Note: Forensic Tools are not included in the service, Client must provide the tools. For services including tools please refer to COMPUTER_FORENSIC & MOBILE_FORENSIC.
Digital Forensics Training
- Duration: 3 days (3 hours per class) / batch (total 9 hours minimum)
- Mode: On premise, hands on training.
- Tools: Open source.
- Participant: 20 persons per batch
- Note: participant’s stationary & snacks arranged by inviting authority.
Cyber Threat Intelligence (CTI)
Overview
Information about potential and organized cyber-attacks, as well as cyber threats, is collected and analyzed. Possible
cyber risks to respective organizations are communicated through notifications and alerts, with 632 reports sent to various government institutions thus far.
Activities
Threat Intelligence will be provided to the entities such as Critical Information Infrastructures, Banking and Financial
Institutions, Law Enforcement Agencies etc. Main activities are:
- Domain /entity based threat received from multiple sources will be provided on monthly basis.
- Critical threat intelligence will be shared as and when received.
- This service is purely on subscription basis.
- Operating a Cyber Sensor Unit to continuously monitor the network of selected organizations for suspicious activities and emerging threats.
- Gathering and analyzing threat intelligence to anticipate and mitigate potential cyber threats.
- Issuing alerts and advisories to mitigate probable cybersecurity risks.
Creating Awareness & Capacity Building
Overview
As a part of awareness and capacity building BGD e-GOV CIRT conducts workshops, seminars, cyber drills and training programs
to raise awareness and build capacity among stakeholders about cybersecurity best practices. Publishing guidelines to educate organizations
on how to protect their systems and data is also a part of this service.
Component 1: Basic Cyber Security Training
- Duration: 3 working days
- Maximum 10 number of participants
- Basic attack and basic defense scenario simulation
- Basic cyber security awareness
Component 2: Advance Cyber Security Training
- Duration: 5 working days
- Maximum 10 number of participants
- Advance attack and basic defense scenario simulation
- Hands on training on Kali OS
Service Catalog
In order to accomplish its mission, BGD e-GOV CIRT will provide the following services to its constituents.
| Service Name |
Package |
Package Details |
Service Charge
(Excl. VAT and TAX) |
| Cyber Sensors Installation and Commissioning |
CS_1G |
One-unit Cyber sensor Installation and Commissioning -1G Interface Capacity (One Time) |
12,000,000.00 (One Time) |
| CS_10G |
One-unit Cyber sensor Installation and Commissioning – 10G interface capacity (One Time) |
15,000,000.00 (One Time) |
| CS_SUPPORT |
Operations, Maintenance, monthly sensor report one unit per month (Per month) |
300,000.00 (Per month) |
| Risk Assessment |
RA_DHK_01 |
Risk assessment per Organization within Dhaka Duration: 3 weeks minimum (5 days onsite & 2 weeks offsite) |
7,00,000.00 (One Time) |
| RA_OUTDHK_01 |
Risk assessment per Organization outside Dhaka Duration: 3 weeks minimum (5 days onsite & 2 weeks offsite) |
9,00,000.00 (One Time) |
| RA_Training_Basic |
Training on Basic Risk Assessment Duration: 03 Working days
Maximum Participants: 10 Person
Venue: BGD e-GOV CIRT Premise |
60,000.00 (One Time) |
| RA_Training_Advance |
Training on Advanced Risk Assessment Duration: 05 Working days
Maximum Participants: 10 Person
Venue: BGD e-GOV CIRT Premise |
1,00,000.00 (One Time) |
| Audit Assessment and Reporting |
ITAUDIT_DHK_01 |
Audit assessment & Reporting per Organization within Dhaka Duration: 4 weeks minimum (5 days onsite & 3 weeks offsite) |
8,00,000.00 (One Time) |
| ITAUDIT_OUTDHK_01 |
Audit assessment per Organization outside Dhaka Duration: 4 weeks minimum (5 days onsite & 3 weeks offsite) |
10,00,000.00 (One Time) |
| ITAUDIT_Training_Basic_DHK |
Training on Basic Information Security and Process Audit (Without Global Certification) Duration: 05 Working days
Maximum Participants: 10 Person
Venue: BGD e-GOV CIRT Premise |
250,000.00 (One Time) |
| TAUDIT_Training_Basic_OutDHK |
Training on Basic Information Security and Process Audit (Without Global Certification) Duration: 05 Working days
Maximum Participants: 10 Person
Venue: Client Premise |
350,000.00 (One Time) |
| Vulnerability Assessment and Penetration Test |
SERVER_VAPT |
Vulnerability assessment and penetration test on server operating system. This is a black box test which doesn’t require user credential and this test will identify possible installed services, running services, open ports, service version detection, network communications, patch information etc |
46,000.00 (One Time) |
| WEBSITE_VAPT |
Vulnerability assessment and penetration test on website to detect possible vulnerabilities. This VAPT doesn’t require user credential. This test will identify web technologies and versions, SQL injection, Cross-site scripting, Unrestricted file upload, Web backdoor, Directory traversal etc. Note: Each unique sub-domain will consider as domain. |
1,11,000.00 (One Time) |
| WEB_APPLICATION_VAPT |
Vulnerability assessment and penetration test on web application to detect possible vulnerabilities. This test may require web application user credential to conduct vulnerability assessment to detect SQL injection, Cross-site scripting, Unrestricted file upload, Local or remote file inclusion, Authentication bypass, Misconfiguration etc. Note: Each unique sub-domain will consider as domain. |
1,63,000.00 (One Time) |
| Digital Forensic |
COMPUTER_FORENSIC |
Component: Computer Forensic
Duration: Min 5 working days / case
Description:
- Evidence Detection
- Evidence Acquisition
- Evidence Analysis/Examination
- Documenting and Reporting
|
6,50,000.00 (Per CASE) |
| MOBILE_FORENSIC |
Component: Mobile Forensic
Duration: Min 7 working days / case
Description:
- Evidence Detection
- Evidence Acquisition
- Evidence Analysis/Examination
- Documenting and Reporting
|
4,00,000.00 (Per CASE) |
| FORENSIC_SUPPORT |
Component: Forensic Support Service
Duration: Min 2 MAN days
Description:
- On premise Forensic Technical Support
- Technical support on Forensic Data
Acquisition
- Technical support on Forensic Data
Analysis & Reporting
Note: Forensic Tools are not included in
the service, Client must provide the
tools. For services including tools please
refer to COMPUTER_FORENSIC & MOBILE_FORENSIC. |
30,000.00
/Per 2 MAN
Days |
| FORENSIC_TRAINING |
Component: Digital Forensics Training
Duration: 3 days (3 hours per class) /
batch (total 9 hours minimum)
Mode: On premise, hands on training.
Tools: Open source.
Participant: 20 persons / batch
Note: participant’s stationary & snacks
arranged by inviting authority. |
22,500.00
/per batch |
| Cyber Security Training |
Basic_Cyber_Security_Training |
Component: Basic Cyber Security Training
Duration: 3 working days
Description:
- Maximum 10 number of
participants
- Basic attack and basic defense
scenario simulation
- Basic cyber security awareness
|
60,000.00 (One Time) |
| Advance_Cyber_Security_Training |
Component: Advance Cyber Security
Training
Duration: 5 working days
Description:
- Maximum 10 number of
participants
- Advance attack and advance
defense scenario simulation
- Hands on training on Kali
|
95,000.00 (One Time) |
| Cyber Threat
Intelligence |
Cyber Threat Intelligence |
Threat Intelligence will be
provided to the entities such as
Critical Information
Infrastructures, Banking and
Financial Institutions, Law
Enforcement Agencies etc.
- Domain /entity based threat
received from multiple sources
will be provided on monthly basis.
- Critical threat intelligence will be
shared as and when received.
- This service is purely on
subscription basis.
|
BDT 1,00,000
per month.
Minimum
Subscription
1year. |