At the end of each PCI/Custom scan, HackerGuardian produces a vulnerability report and an executive report for each IP/Domain scanned and an executive report and a chart depicting the scan results in pie diagrams for the network device scanned. The compliance status for each device is set as Compliant or Non-Compliant based on the discovery of potential security flaws on the device/IP/Domain.
The security flaws or the vulnerabilities are rated based on their severity levels. The rating of each vulnerability is indicated by the color of title bar of the respective report. The following table shows the official PCI severity ratings.
|Rating||CVSS Score||Vulnerability||Severity Level||Scan Result|
|Red||7.0 - 10||Security Hole||High||Fail PCI Scan|
|Orange||4.0 - 6.9||Security Warnings||Medium||Fail PCI Scan|
|Blue||0 - 3.9||Security Notes||Low||Pass PCI Scan|
Based on the ratings, HackerGuardian categorizes the vulnerabilities as Security Holes, Security Warnings and Security Notes.
|Security Holes||A vulnerability, whose severity level is more than three or 'High', is identified as a Security Hole. To pass a PCI Compliance scan, no holes are to be found during the scan. If any holes are found, the merchant or the service provider must remediate the identified problems and re-run the scan until the compliance is achieved.|
|Security Warnings||A vulnerability, whose severity level, is equal to two or 'Medium', is indicated as a Security Warning. To pass a PCI Compliance scan, no warnings are to be found during the scan. If any warnings are found, the merchant or the service provider must remediate the identified problems and re-run the scan until the compliance is achieved.|
|Security Notes||A vulnerability, whose severity level, is equal to one or 'Low', is indicated as a Security Note.|
Each HackerGuardian report indicates the Security Holes, Security Warnings and Security Notes found on each device/IP/Domain and also provides solution for remediation.
The Scan Reports produced from the PCI scans can be assessed from the 'Reports' area of the HackerGuardian interface, displayed by clicking the 'Reports' tab from the Navigation bar. From this interface, you can:
- View the scan reports
- Submit False Positives
- Track the status of Submitted False Positives
- Download all the reports as a zip file by clicking the 'Generate Report Pack' button.
View Hackergaurdian Scan Reports
Clicking the 'Scans' link in the Reports area opens the list of the scan reports produced by HackerGuardian at the end of each scan.
At the end of each scan HackerGuardian produces three types of reports.
- Executive Report - Executive Reports provide an overview of the security status of multiple hosts - allowing administrators to gain an overview of the health of their entire network.
- Charts Page - The charts page displays the scan summary and the bar-graphs and pie diagrams indicating the proportions of vulnerabilities according to their categories.
- Vulnerability Report - Vulnerability Reports are a detailed overview of scans on a single host. They include a prioritized list of the vulnerabilities found, expert remediation advice and thousands of cross-referenced online advisories.
Tip - The Executive Reports and the Vulnerability Reports can be converted into pdf format by clicking the link 'Print in PDF' from the Additional Actions area as shown below.
The administrator can filter the reports listed, based on the scan type, status or even the reports pertaining to a specific IP or domain. The table below describes the filtering options available in this interface.
|View||Enables to filter the reports based on the scan type. E.g. to view only the PCI scan reports, select 'PCI Reports' from the drop-down menu.|
|Filter by Status||Enables to filter the reports based on success or failure of the scan results.|
|Search by IP/Domains||Enables to filter the reports pertaining to specific IP or Domain. The administrator can enter the IP address or the Domain name and the reports only for those will be listed.|
An Executive Report is a condensed view of the information available by viewing reports individually, but present it in an more easily digested manner - allowing admins to quickly pick out where insecurities lie and to assess then investigate any surges in the trends.
To view an executive summary of a device, click the Executive Report button in the row.
Tip - You can also click Executive Report button beside the device name from the 'Device List' area to view the report.
An example of an executive report is shown below.
The Executive report contains the following information:
|1. Scan Information||Provides information on the Company name of the subscriber, scanning vendor (Comodo CA Ltd.,), date of scan and the scan expiry date.|
|2. Component Compliance Summary||Provides an at-a-glance indication of PCI Compliance status of your systems.|
|3a. Vulnerabilities noted for for each IP address||
Provides details on types of vulnerabilities identified for each IP address, with their severity level, CVSS base score and compliance status.
If no vulnerabilities with a CVSS base score greater than 4.0 (named 'security holes' in HackerGuardian') are detected then the scanned IP addresses, hosts and Internet connected devices have passed the test and the report can be submitted to your acquiring bank.
If the report indicates 'Fail' on any of the IP address, then the merchant or service provider must remediate the identified problems and re-run the scan until compliancy is achieved.
|3b. Special Notes by IP Address||Provides any special details or notes of the vulnerabilities found and any special declarations given by the subscriber.|
If the Component Compliance Summary section of your HackerGuardian Executive Report indicates a failure in the Compliancy Status, then vulnerabilities with a CVSS base score greater than 4.0 were discovered on your externally facing IP addresses. The accompanying Vulnerability Report contains a detailed synopsis of every vulnerability prioritized by threat severity. Each discovered vulnerability is accompanied with solutions, expert advice and cross referenced links to help you fix the problem. You should fix all vulnerabilities identified as a 'Security Hole'.
Furthermore, each report contains a condensed, PCI specific, 'Mitigation Plan' - a concise, bulleted list of actions that you need to take to achieve compliance.
After completing the actions specified in the Mitigation Plan you should run another scan until the report returns a 'COMPLIANT' status.Charts Page
The Charts Page contains at-a-glance summary of the scan results on the device at the top and graphical representations of proportions of identified vulnerabilities according to their categories.
To view the Chart Page of a Device, click the charts page button in the row of the Device.
Tip - You can also click the charts page button beside the Device name from the 'Device List' area to view the page.
An example of the Charts Page is given below.
The summary table provides the list of IP addresses/Domains pertaining to the device scanned and the number of Security Holes, Security Warnings and Security Notes identified in each IP/Domain.
Also the table contains a list of flaws (with no.of flaws in parenthesis) which fall under top five risk categories, for each IP/domain scanned.Scan History
The scan history section contains bar-graphs and pie diagrams indicating the proportions of vulnerabilities according to their categories.
Vulnerabilities by Host - A graphical representation of the information regarding the security holes found, security warnings, and security notes per host. Each category is represented by a different color. Pointing the mouse cursor over a bar in the graph displays the count of the respective item found. The graph enables administrators to gain both an overview of the overall of health their network and to monitor the security of individual hosts within that network.
Vulnerabilities by Severity - A pie-diagram representation of proportions of security holes, security warnings, and security notes found for the entire device. Pointing the mouse cursor over a sector in the diagram displays the percentage proportion of the respective item found.
Security Holes by Category - A pie-diagram representation of proportions of security holes of different categories like Trojan Horses, file R/W exploits, Remote Procedure Call (RPC) exploits etc., found for the entire device. Pointing the mouse cursor over a sector in the diagram displays the number and percentage proportion of the respective item found.
Security Warnings by Category - A pie-diagram representation of proportions of security warnings of different categories like Firewall exploits etc., found for the entire device. Pointing the mouse cursor over a sector in the diagram displays the number and percentage proportion of the respective item found.
Vulnerabilities Trend - A graphical representation of the comparison of the vulnerabilities found in the IPs/Domains of the device during the last five scans. This gives the trend of the reduction in the number of vulnerabilities in successive scans because of the remediation actions taken at the end of each scan. Each IP/Domain in a device is indicated with a different color. Pointing the mouse cursor over a bar in the graph displays the number of the vulnerabilities found in the respective IP/Domain in the respective scan. This graph also indicates the administrator on the frequency of the scans and enables to check whether scans are being conducted according to their pre-defined scan schedule.
Scan Time per Host - A graphical representation of the time taken for scanning each IP/Domain in the device. Pointing the mouse cursor over a bar in the graph displays the time taken fr the IP/Domain in hours.
A Vulnerability Report provides a detailed overview of scan results on a single IP/Domain. It includes a prioritized list of the vulnerabilities found, expert remediation advice and thousands of cross-referenced online advisories.
To view a Vulnerability Report of a IP/Domain, click the '+' beside the respective device and then click the 'Vulnerability Report' button in the row of the respective IP/Domain.
Tip - You can also click Vulnerability Report button beside the IP/Domain name from the 'Device List' area to view the report.
The Vulnerability Report consists of a summary of the scan details and the prioritized list of the vulnerabilities found.Scan Summary
The scan summary contains the following details:
- Company Name - The Company name of the subscriber.
- ASV company name - Name of the approved scanning vendor (Comodo CA Ltd.,)
- Scan expiration date - The expirt date of the scan for which the report was generated.
- Start Time - The date and time at which the scan was started.
- Finish Time - The date and time at which the scan was completed.
- Total Scan Duration Time - The total time taken for the scan.
- Plugins Used - The number of vulnerability plug-ins deployed during the scan.
- A table providing the number of Security Holes, Security Warnings and Security Notes identified the IP/Domain.
- A list of open ports detected on the IP/Domain and their respective communication protocols and dedicated services.
Following the scan summary, the identified vulnerabilities are listed with their descriptions, priority, the plug-in that identified the flaw, risk factor, expert advices for remediation etc. An example is shown below.
The title bar indicates the type of the vulnerability and the port/service in which it is identified.
|Status||Indicates the status of the device whether it has passed or failed.|
|Plugin||The vulnerability plug-in that has detected the vulnerability.|
|Category||The category of the flaw that is responsible for the vulnerability.|
|Priority||Indicates the priority at which the vulnerability has to be remediated.|
|Synopsis||The Synopsis in the report provides a short description of the vulnerability. For example: if the protocol is encrypted, if debugging is enabled etc.|
|Description||A detailed description of the vulnerability and its effects. This section also contains links for additional reading about the vulnerability.|
Shows the severity of the vulnerability according to the CVSS score. The NVD provides severity rankings of "Low", "Medium", and "High" in addition to the numeric CVSS scores but these qualitative rankings are simply mapped from the numeric CVSS scores:
Provides CVE index of standardized names for vulnerabilities and other information security exposures, BID numbers and other references to the vulnerability.
CVE aims to standardize the names for all publicly known vulnerabilities and security exposures.
Examples of universal vulnerabilities include:
|Solution||Provides expert advices on the action to be taken by giving a set of rules to be configured for the specific port/service vulnerability. This gives the best suited remediation measure for the vulnerability found.|
HackerGuardian will conduct an in-depth audit of your network to detect vulnerabilities on your network and web-server. If your servers fail the test, you will find lots of helpful advisories in the scan report that will help you patch the security holes.
That's why EACH report contains a condensed, PCI specific, 'Mitigation Plan' - a concise, bulleted list of actions that you need to take to achieve compliance. The mitigation plan is available at the end of the list of the vulnerabilities.
Tip - You an directly view the mitigation plan by clicking the link Jump to Remediation Plan from the 'Additional Actions' area.
Reporting False Positives
A false positive exists when HackerGuardian incorrectly detects a Security Hole (vulnerability with a CVSS base score greater than 4.0) or if compensating controls exist elsewhere in the network's security infrastructure to offset or nullify the vulnerability.
Administrators have the ability to submit suspected false positives to Comodo from with the security advisory itself (see below)
If you think this is a legitimate false positive, click the 'Report as False Positive' link or here 'link' shown above. This will open the false positive reporting interface. (shown below).
- Next, check the box 'You confirm that this security item is a false positive and has been fully patched/fixed on your server'
- Important - administrators must include information in the text box detailing the patch or compensating control that they have deployed. If this space is left blank then the request will be automatically rejected
- Click 'Save' to submit the report to the HackerGuardian technicians for analysis and verification. The advisory will contain the following message to indicate that your submission is under review:
Our support team will review the information provided to ensure it is satisfactory.
The administrator can check the status of the submitted false positive at any time. Click here for more details.
If Confirmed as false positive by our technicians - This security hole will no longer count against your IP address/Domain. Genuine false positives are automatically removed from the list of security holes from which your PCI report is derived.
Your Host Compliancy Status will be automatically updated in your Executive Report. - You do not need to run another scan.
For example - If this false positive represented the only security hole on your host, then your PCI report will change from 'Not Compliant' to 'Compliant' and you can immediately download it.Downloading Reports Pack
The Administrators can download all the reports in pdf format as a zip file by clicking the 'Generate Report Pack' button in the Reports > Scans interface.
The Report Pack will contain Executive Report, Vulnerability Report and the Attestation Scan Compliance report of the PCI scans executed within the past 90 days. These scan reports should be submitted to the acquiring bank or payment bank according to their instructions, to demonstrate compliance.
To download the report pack, click the 'Generate Report Pack' button from the 'Reports' area.
If some unresolved security notes are present in the report, the following warning will be displayed.
Address the issue or confirm that the security notes are taken care by selecting the check box and click 'Next'.
An attestation screen will appear.
- Read the Attestation statement and fill your Contact name, email address and your role in the subscribing Organization, as a token of digitally signing the attestation form and click 'Next'.
Immediately, the report pack generation will be started. On completion, your report pack will be reviewed by our support staff and will be passed on for download. This will be indicated by a dialog.
- Click 'Yes'.
To check your report pack status, click the "Report Packs" tab in the 'Reports' area. The status of your requested report pack will be displayed.
Once the pack is generated and reviewed by our PCI DSS approved support staff, it will be available under the same tab for download.
- Click the 'Download' button. The file download dialog will appear.
- Save the file in a desired location.
This report pack will contain pdf files of Attestation of Scan Compliance report, Executive Summary, and the Vulnerability Details and the of the PCI scans executed within the past 90 days.
These scan reports should be submitted to the acquiring bank or payment bank according to their instructions, to demonstrate compliance.
Also, the report pack contains an ASV Feedback form to be filled up and sent to the PCI SSC at email@example.com, as a feedback for the scanning service provided by Comodo, the Approved Scanning Vendor.Tracking Status of Submitted False Positives
HackerGuardian allows the administrator to track the status of the false positives submitted from the 'Reports' area. To view the status, click the False Positives Tracker link from the 'Reports' area.
The administrator can filter the listed false positives, based on the scan type.
Click the drop-down arrow beside 'View' to select the false positives based on scan types. To view the false positives submitted for PCI scans, select 'PCI'.
The following table provides description of information columns in this area.
|ID||The identity number of the submitted false positive.|
|Date||Date and time of submission.|
|Host||The IP/Domain for which the vulnerability was detected and submitted as false positive.|
|Notes||Notes entered by the administrator at the time of submission.|
|Status||Indicates the review status or whether accepted or rejected by the Administrator or the Comodo support team after validation.|
|Reason||The reason for accepting or rejecting the false positive.|
Note: Clicking on the up or down arrows beside each column heading sorts the list of devices in ascending order based on the category.