HackerGuardian Reports

Clicking the View Report button in the HackerGuardian interface brings up the Report Summary Screen.

Report Summary

The summary provides an at-a-glance overview of all completed scans and serves as a central point of access to Individual Audit Reports, Comparative Summaries, Executive Summaries and PCI Compliance Reports.

Report summary columns:

• Request Time - shows the Date and Time of scan request.
• Start Time - shows the Date and Time of scan start.
• End Time - shows the Date and Time of scan end.
• Audit Time - shows the period of time of the performed scan.
• Status - shows whether the scan has been completely performed or not. If completely performed then the Status is shown Finished. If not completely performed then the status remains Failure.
• Target - shows the IP address for which scan has been performed.
• PCI Compliance - shows PCI compliance report.

This section also has additional options to view and compare reports, refresh and delete buttons.

Select all reports for: - this box provides a shortcut that allows all reports for a particular IP to be selected at once.

The Report Summary Screen provides access to four types of reports:

• Individual Audit Reports - Individual reports are a detailed overview of scans on a single host. They include a prioritized list of the vulnerabilities found expert remediation advice and thousands of cross-referenced online advisories. More details.
• Comparative Summaries - (Enterprise packages only) Comparative Summaries allow administrators to view 'before and after' comparisons of the vulnerability status of a single host. More Details.
• Executive Summaries - (Enterprise packages only) Executive summaries provide an overview of the security status of multiple hosts - allowing administrators to gain an overview of the health of their entire network. More Details.
• PCI Compliance Reports - Users can download a 'ready to submit' PCI Scan Compliance report immediately after a 'successful' scan (no vulnerabilities of level 3, 4 or 5.) More Details.

Both Individual Audit Reports and PCI Compliance Reports can be converted into PDF format by clicking the icon in the upper right hand corner. (see below)

Individual Audit Reports

To view an individual report click on the particular IP address listed under the 'Targets' column.

The following screen with the summary appears.

Top of Document    

Individual Audit Reports In Detail

Summary Section

• Box 1 is a summary of the criteria used during the scan. It shows the number plugins deployed vs. the number available when the scan was performed on the specific IP (or range of IPs). The 'options' field contains a condensed summary of the parameters chosen in the 'Set Options' section of HackerGuardian.
  
  NOTE:the diagram shows the number of plugins at the time the scan was run, i.e. the historical configuration of plugins at scan time.
• Box 2 indicates the date and time of the scan began; date and time of scan finish and scan duration. This information is also represented by the light blue area in the accompanying diagram.
• Box 3 gives the information regarding the security holes found, security warnings, and security notes. In the table you can see number of it and percentage proportion in diagram.
• Box 4 gives the information regarding the categories. In the table you can see number of failed tests in each category and percentage proportion in diagram.

Your.IP.address Section

In the Report List the IP which has been scanned, would be shown at the top of list.

The Report list displays the sum of all security threats and vulnerabilities found during a scan followed by detailed description (synopsis) of the problem.

Synopsis

The Synopsis in the report tells the end user about the security hole. For example: if the protocol is encrypted, if debugging is enabled etc.

Based on the synopsis a vulnerability description is given. The  vulnerability description in the report, suggests the Solution, Risk Factor and CVE.

Solution

When there is a security warning / Vulnerability found, the report suggests you to take some action by giving a set of rules to be configured for the specific port/service vulnerability.

Risk Factor - Low | Medium | High

In the report list the Risk Factor shows the severity of the vulnerability.

Here NVD provides severity rankings of “Low”, “Medium”, and “High” in addition to the numeric CVSS scores but these qualitative rankings are simply mapped from the numeric CVSS scores:

• Vulnerabilities are labeled “Low” severity if they have a CVSS base score of 0.0-3.9.
• Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.
• Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0. 

CVE

The CVE list provides an index of standardized names for vulnerabilities and other information security exposures - CVE aims to standardize the names for all publicly known vulnerabilities and security exposures.

Examples of universal vulnerabilities include:

• phf (remote command execution as user "nobody")
• rpc.ttdbserverd (remote command execution as root)
• world-write able password file (modification of system-critical data)
• default password (remote command execution or other access)
• denial of service problems that allow an attacker to cause a Blue Screen of Death
• smurf (denial of service by flooding a network)

Examples of exposures include:

• running services such as finger (useful for information gathering, though it works as advertised)
• inappropriate settings for Windows NT auditing policies (where "inappropriate" is enterprise-specific)
• running services that are common attack points (e.g., HTTP, FTP, or SMTP)
• use of applications or services that can be successfully attacked by brute force methods (e.g., use of trivially broken encryption, or a small key space)

Each CVE name includes the following:

• CVE identifier number (i.e., "CVE-1999-0067").
• Indication of "entry" or "candidate" status.
• Brief description of the security vulnerability or exposure.
• Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).

Reporting a False Positive

A false positive exists when HackerGuardian incorrectly detects a Security Hole (vulnerability of level 3,4 or 5) or if compensating controls exist elsewhere in the network's security infrastucture to offset or nullify the vulnerability.  

Administrators have the ability to submit suspected false postives to Comodo from with the security advisory itself (see below)

If  you think this is a legitimate false positive, click the 'Click here' link shown above. This will open the false postive reporting interface. (shown below).

• Next, check the box 'You confirm that this security item is a false postive and has been fully patched/fixed on your server'. 
  
• Important - administrators must include information in the text box detailing the patch or compensating control that they have deployed. If this space is left blank then the request will be automatically rejected

Click 'Save' to submit the report to the HackerGuardian technicians for analysis and verfication. The advisory will contain the following message to indicate that your submission is under review: 

Our support team will review the information provided to ensure it is satisfactory.

If Confirmed as false positive by our technicians -  This security hole will no longer count against your IP address. Genuine false positives are automatically removed from the list of security holes from which your PCI report is derived. 

Your Host Compliancy Status will be automatically updated in your PCI Compliancy Report. - You do not need to run another scan.

For example - If this false positive represented the only security hole on your host, then your PCI report will change from 'Not Compliant' to 'Compliant' and you can immediately download it. 

Mitigation Plan

HackerGuardian will conduct an in-depth audit of your network to detect vulnerabilities on your network and web-server. If your servers fail the test, you will find lots of helpful advisories in the scan report that will help you patch the security holes.

That's why EACH report contains a condensed, PCI specific, ‘Mitigation Plan’ - a concise, bulleted list of actions that you need to take to achieve compliance.

Top of Document    

Compare Reports

The Compare reports functions allows administrators to conduct before and after comparisons on the health of a host/target IP. Comparative reports can be created by individually selecting the reports pertaining to a specific IP, or by using the 'Select all reports for:' function.

The 'Comparative summary report' is different to regular reports in that it presents a time line of security threats on a particular host. It is best used to analyse the historical security status of a single host/target over time.

The following screen would appear if you compare two or multiple reports.

'Comparative Summary' section consists of tree parts: Risks by Severity, Risks by Category, Risks by Status.

• Risks by Severity gives the information regarding the security holes found, security warnings, and security notes. In the table you can see number of it, trend and percentage proportion in diagram.
• Risks by Category gives the information regarding the categories. In the table you can see number of failed tests in each category, trend and percentage proportion in diagram.
• Risks by Status gives the information regarding the status. In the table you can see number of Fixed/Removed failed tests, new, and stayed without changes, and percentage proportion in diagram.

The Scan History section gives all the information regarding the Date you scanned the IP with number of hosts audited, also with a Risk Factor Comparison, which helps you to compare the risk level you had before with now.

Top of Document    

Executive Summaries

Executive summaries are a condensed view of the information available by viewing reports individually, but present it in an more easily digested manner - allowing admins to quickly pick out where insecurities lie and to assess then investigate any surges in the trends.
Executive reports are designed to give an over view of a network comprising many different hosts.

The following screen would appear:

Executive Summary

• Risks by Host gives the information regarding the security holes found, security warnings, and security notes per host. In the table you can see number of vulnerabilities per host, total percentage proportion in diagram per IP address: your.IP.address1 vs. your.IP.address2 vs. your.IP.address3 etc. (each host is represented by a different color).
• Top Risks Categories by Host gives the information regarding the categories. In the table you can see number of failed tests in each category per host and total number of top risk categories.

Scan History

Scan History consists of three section:

• Risks by Severity: plots the total vulnerabilities discovered across a users network over time.
  Note: the more hosts you have in your network, the higher the likely number of reported vulnerabilities.
  This graph delineates the threat profile to a network over time and allows administrators to gain an overview of the success of their threat mitigation strategies and measures.

  

• Risks by Host displays the total vulnerabilities discovered over time per host (each host is represented by a different color). The X axis displays the date on which a scan was conducted whilst the Y axis indicates the number of threats discovered. The number of plugins deployed during a particular scan is represented by the grey line. The graph enables administrators to gain both an overview of the overall of health their network and to monitor the security of individual hosts within that network.

  

• Scan frequency and Hosts indicates the regularity and volume of vulnerability scans. Administrators should use this graph to quickly check whether scans are being conducted according to their pre-defined scan schedule. Any unscheduled gaps in this chart would indicate that a scan did not take place on that date and may be cause for investigation. Similarly, any unaccounted dip in the number of hosts that were scanned will be recorded here.

  

Top of Document    

PCI Compliance Reports

The PCI Compliance report is the one you need to submit to your acquiring bank to demonstrate compliance. To view report, click on link 'PCI Compliance Report' against the needed IP address in the reports' list:

PCI Compliance report is divided into four sections:

1. Scanning Vendor Information
   

   

2. Date - shows date/time of performed scan:
   

   

3. Hosts Compliance Status
   

   Each post-scan HackerGuardian vulnerability report states a PCI compliance status of ‘Compliant’ or ‘Not Compliant’ based on the discovery of potential security flaws on your systems.

   Your host is PCI Compliante:

   

   Your host is NOT PCI Compliante:

   

4. Severity Rating Mapping
   

   The following table shows the official PCI severity ratings and their HackerGuardian equivalent names.

   

   If no vulnerabilities of severity levels 3, 4 or 5 (named ‘security holes’ in HackerGuardian’) are detected then the scanned IP addresses, hosts and internet connected devices have passed the test and the report can be submitted to your acquiring bank.
   If the report indicates ‘Non Compliant’ then the merchant or service provider must remediate the identified problems and re-run the scan until compliancy is achieved.

If your HackerGuardian PCI Scan Compliance Report indicates ‘NOT COMPLIANT’ then vulnerabilities with severity rating of 3, 4 or 5 were discovered on your externally facing IP addresses. The accompanying Audit Report contains a detailed synopsis of every vulnerability prioritized by threat severity. Each discovered vulnerability is accompanied with solutions, expert advice and cross referenced links to help you fix the problem. You should fix all vulnerabilities identified as a ‘Security Hole’.

Furthermore, each report contains a condensed, PCI specific, ‘Mitigation Plan’ - a concise, bulleted list of actions that you need to take to achieve compliance.

After completing the actions specified in the Mitigation Plan you should run another scan until the report returns a ‘COMPLIANT’ status.