HackerGuardian Reports

At the end of each PCI/Custom scan, HackerGuardian produces a vulnerability report and compliance report for each IP/Domain scanned and an executive report for the network device scanned. The compliance status for each device is set as Compliant or Non-Compliant based on the discovery of potential security flaws on the device/IP/Domain.

The security flaws or the vulnerabilities are rated based on their severity levels. The following table shows the official PCI severity ratings.

5	Urgent	Trojan Horses, file read and write exploit, remote command execution
4	Critical	Potential Trojan Horses, file read exploits
3	High	Limited exploit of read, directory browsing and Denial of Service
2	Medium	Sensitive information can be obtained by hackers on configuration
1	Low	Information can be obtained by hackers on configuration

Based on the ratings, HackerGuardian categorizes the vulnerabilities as Security Holes, Security Warnings and Security Notes.

Security Holes	A vulnerability, whose severity level is more than three or 'High', is identified as a Security Hole. To pass a PCI Compliance scan, no holes are to be found during the scan. If any holes are found, the merchant or the service provider must remediate the identified problems and re-run the scan until the compliance is achieved.
Security Warnings	A vulnerability, whose severity level, is more two or 'Medium', is indicated as a Security Warning. To pass a PCI Compliance scan, no warnings are to be found during the scan. If any warnings are found, the merchant or the service provider must remediate the identified problems and re-run the scan until the compliance is achieved.
Security Notes	A vulnerability, whose severity level, is more one or 'Low', is indicated as a Security Note.

Each HackerGuardian report indicates the Security Holes, Security Warnings and Security Notes found on each device/IP/Domain and also provides solution for remediation.

The Scan Reports produced from the PCI scans can be assessed from the 'Reports' area of the HackerGuardian interface, displayed by clicking the 'Reports' tab from the Navigation bar. From this interface, you can:

• View the scan reports
• Submit False Positives
• Track the status of Submitted False Positives
• Download the entire reports as a zip file by clicking the 'Download Report Pack' button.

View Scan Reports

Clicking the 'Scans' link in the Reports area opens the list of the scan reports produced by HackerGuardian at the end of each scan.

At the end of each scan HackerGuardian produces three types of reports.

• Executive Report - Executive Reports provide an overview of the security status of multiple hosts - allowing administrators to gain an overview of the health of their entire network. Click here for More Details.
• Vulnerability Report - Vulnerability Reports are a detailed overview of scans on a single host. They include a prioritized list of the vulnerabilities found, expert remediation advice and thousands of cross-referenced online advisories. Click here for More details.
• PCI Compliance Report - Users can download a 'ready to submit' PCI Scan Compliance report immediately after a 'successful' scan (no vulnerabilities of level 3, 4 or 5.) Click here for More Details.

Tip - The vulnerability reports and the PCI Compliance reports can be converted into pdf format by clicking the link 'Print in PDF' from the Additional Actions area as shown below.

Filtering Options

The administrator can filter the reports listed, based on the scan type, status or even the reports pertaining to a specific IP or domain. The table below describes the filtering options available in this interface.

Filter	Description
View	Enables to filter the reports based on the scan type. E.g. to view only the PCI scan reports, select 'PCI Reports' from the drop-down menu.
Filter by Status	Enables to filter the reports based on success or failure of the scan results.
Search by IP/Domains	Enables to filter the reports pertaining to specific IP or Domain. The administrator can enter the IP address or the Domain name and the reports only for those will be listed.

Executive Report

An Executive Report is a condensed view of the information available by viewing reports individually, but present it in an more easily digested manner - allowing admins to quickly pick out where insecurities lie and to assess then investigate any surges in the trends.

To view an executive summary of a device, click the Executive Report button in the row.

Tip - You can also click Executive Report button beside the device name from the 'Device List' area to view the report.

An example of an executive report is shown below.

The Executive Report contains at-a-glance summary of the scan results on the device at the top and graphical representations of proportions of identified vulnerabilities according to their categories.

Summary

The summary table provides the list of IP addresses/Domains pertaining to the device scanned and the number of Security Holes, Security Warnings and Security Notes identified in each IP/Domain.

Also the table contains a list of flaws (with no.of flaws in parenthesis) which fall under top five risk categories, for each IP/domain scanned.

Scan History

The scan history section contains bar-graphs and pie diagrams indicating the proportions of vulnerabilities according to their categories.

Vulnerabilities by Host - A graphical representation of the information regarding the security holes found, security warnings, and security notes per host. Each category is represented by a different color. Pointing the mouse cursor over a bar in the graph displays the count of the respective item found. The graph enables administrators to gain both an overview of the overall of health their network and to monitor the security of individual hosts within that network.

Device Vulnerabilities by Severity - A pie-diagram representation of proportions of security holes, security warnings, and security notes found for the entire device. Pointing the mouse cursor over a sector in the diagram displays the percentage proportion of the respective item found.

Device Security Holes by Category - A pie-diagram representation of proportions of security holes of different categories like Trojan Horses, file R/W exploits, Remote Procedure Call (RPC) exploits etc., found for the entire device. Pointing the mouse cursor over a sector in the diagram displays the number and percentage proportion of the respective item found.

Device Security Warnings by Category - A pie-diagram representation of proportions of security warnings of different categories like Firewall exploits etc., found for the entire device. Pointing the mouse cursor over a sector in the diagram displays the number and percentage proportion of the respective item found.

Device Vulnerabilities Trend - A graphical representation of the comparison of the vulnerabilities found in the IPs/Domains of the device during the last five scans. This gives the trend of the reduction in the number of vulnerabilities in successive scans because of the remediation actions taken at the end of each scan. Each IP/Domain in a device is indicated with a different color. Pointing the mouse cursor over a bar in the graph displays the number of the vulnerabilities found in the respective IP/Domain in the respective scan. This graph also indicates the administrator on the frequency of the scans and enables to check whether scans are being conducted according to their pre-defined scan schedule.

Scan Time per Host - A graphical representation of the time taken for scanning each IP/Domain in the device. Pointing the mouse cursor over a bar in the graph displays the time taken fr the IP/Domain in hours.

Vulnerability Report

A Vulnerability Report provides a detailed overview of scan results on a single IP/Domain. It includes a prioritized list of the vulnerabilities found, expert remediation advice and thousands of cross-referenced online advisories.

To view a Vulnerability Report of a IP/Domain, click the '+' beside the respective device and then click the 'Vulnerability Report' button in the row of the respective IP/Domain.

Tip - You can also click Vulnerability Report button beside the IP/Domain name from the 'Device List' area to view the report.

The Vulnerability Report consists of a summary of the scan details and the prioritized list of the vulnerabilities found.

Scan Summary

The scan summary contains the following details:

• Start Time – The date and time at which the scan was started.
• Finish Time – The date and time at which the scan was completed.
• Total Scan Duration Time – The total time taken for the scan.
• Plugins Used – The number of vulnerability plug-ins deployed during the scan.
• A table providing the number of Security Holes, Security Warnings and Security Notes identified the IP/Domain.
• A list of open ports detected on the IP/Domain and their respective communication protocols and dedicated services.

Following the scan summary, the identified vulnerabilities are listed with their descriptions, priority, the plug-in that identified the flaw, risk factor, expert advices for remediation etc. An example is shown below.

The title bar indicates the type of the vulnerability and the port/service in which it is identified.

Plugin	The vulnerability plug-in that has detected the vulnerability.
Category	The category of the flaw that is responsible for the vulnerability.
Priority	Indicates the priority at which the vulnerability has to be remediated.
Synopsis	The Synopsis in the report provides a short description of the vulnerability. For example: if the protocol is encrypted, if debugging is enabled etc.
Description	A detailed description of the vulnerability and its effects. This section also contains links for additional reading about the vulnerability.
Risk Factor	Shows the severity of the vulnerability according to the CVSS score. The NVD provides severity rankings of "Low", "Medium", and "High" in addition to the numeric CVSS scores but these qualitative rankings are simply mapped from the numeric CVSS scores: Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9. Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9. Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0.
Additional Information	Provides CVE index of standardized names for vulnerabilities and other information security exposures, BID numbers and other references to the vulnerability. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. Examples of universal vulnerabilities include: phf (remote command execution as user "nobody") rpc.ttdbserverd (remote command execution as root) world-write able password file (modification of system-critical data) default password (remote command execution or other access) denial of service problems that allow an attacker to cause a Blue Screen of Death smurf (denial of service by flooding a network) Examples of exposures include: running services such as finger (useful for information gathering, though it works as advertised) inappropriate settings for Windows NT auditing policies (where "inappropriate" is enterprise-specific) running services that are common attack points (e.g., HTTP, FTP, or SMTP) use of applications or services that can be successfully attacked by brute force methods (e.g., use of trivially broken encryption, or a small key space) Each CVE name includes the following: CVE identifier number (i.e., 'CVE-1999-0067'). Indication of 'entry' or 'candidate' status. Brief description of the security vulnerability or exposure. Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).
Solution	Provides expert advices on the action to be taken by giving a set of rules to be configured for the specific port/service vulnerability. This gives the best suited remediation measure for the vulnerability found.

Mitigation Plan

HackerGuardian will conduct an in-depth audit of your network to detect vulnerabilities on your network and web-server. If your servers fail the test, you will find lots of helpful advisories in the scan report that will help you patch the security holes.

That's why EACH report contains a condensed, PCI specific, 'Mitigation Plan' - a concise, bulleted list of actions that you need to take to achieve compliance. The mitigation plan is available at the end of the list of the vulnerabilities.

Tip - You an directly view the mitigation plan by clicking the link Jump to Remediation Plan from the 'Additional Actions' area.

Reporting False Positives

A false positive exists when HackerGuardian incorrectly detects a Security Hole (vulnerability with a CVSS base score greater than 4.0) or if compensating controls exist elsewhere in the network's security infrastructure to offset or nullify the vulnerability.

Administrators have the ability to submit suspected false positives to Comodo from with the security advisory itself (see below)

If you think this is a legitimate false positive, click the 'Report as False Positive' link or here 'link' shown above. This will open the false positive reporting interface. (shown below).

• Next, check the box 'You confirm that this security item is a false positive and has been fully patched/fixed on your server'
• Important - administrators must include information in the text box detailing the patch or compensating control that they have deployed. If this space is left blank then the request will be automatically rejected
• Click 'Save' to submit the report to the HackerGuardian technicians for analysis and verification. The advisory will contain the following message to indicate that your submission is under review:

Our support team will review the information provided to ensure it is satisfactory.

The administrator can check the status of the submitted false positive at any time. Click here for more details.

If Confirmed as false positive by our technicians - This security hole will no longer count against your IP address/Domain. Genuine false positives are automatically removed from the list of security holes from which your PCI report is derived.

Your Host Compliancy Status will be automatically updated in your PCI Compliancy Report. - You do not need to run another scan.

For example - If this false positive represented the only security hole on your host, then your PCI report will change from 'Not Compliant' to 'Compliant' and you can immediately download it.

PCI Compliance Report

The PCI Compliance report is the one you need to submit to your acquiring bank to demonstrate compliance.

Note: PCI compliance Reports are not available for Local/Custom scans.

To view a Vulnerability Report of a network device, click the 'Compliance Report' button in the row of the respective device in the 'Reports' area.

To view a Compliance Report of a IP/Domain, click the '+' beside the respective network device and then click the 'Compliance Report' button in the row of the respective IP/Domain.

Tip - You can also click Compliance Report button beside the Device/IP/Domain name from the 'Device List' area to view the report.

The compliance report contains the following information:

1. Scanning Vendor Information	Provides information on the scanning vendor (Comodo CA Ltd.,) and the base certificate identification
2. Hosts Compliance Status	Each post-scan HackerGuardian vulnerability report states a PCI compliance status of 'Compliant' or 'Non-Compliant' based on the discovery of potential security flaws on your systems. It also displays the date and time of performed scan. If the network/device/IP/Domain is Compliant: If the host is Non-Compliant:
3. Severity Rating Mapping	Indicates the official PCI severity ratings and their HackerGuardian equivalent names. If no vulnerabilities with a CVSS base score greater than 4.0 (named 'security holes' in HackerGuardian') are detected then the scanned IP addresses, hosts and Internet connected devices have passed the test and the report can be submitted to your acquiring bank. If the report indicates 'Non Compliant' then the merchant or service provider must remediate the identified problems and re-run the scan until compliancy is achieved.

If your HackerGuardian PCI Scan Compliance Report indicates 'NOT COMPLIANT' then vulnerabilities with a CVSS base score greater than 4.0 were discovered on your externally facing IP addresses. The accompanying Vulnerability Report contains a detailed synopsis of every vulnerability prioritized by threat severity. Each discovered vulnerability is accompanied with solutions, expert advice and cross referenced links to help you fix the problem. You should fix all vulnerabilities identified as a 'Security Hole'.

Furthermore, each report contains a condensed, PCI specific, 'Mitigation Plan' - a concise, bulleted list of actions that you need to take to achieve compliance.

After completing the actions specified in the Mitigation Plan you should run another scan until the report returns a 'COMPLIANT' status.

Tracking Status of Submitted False Positives

HackerGuardian allows the administrator to track the status of the false positives submitted from the 'Reports' area. To view the status, click the False Positives Tracker link from the 'Reports' area.

Filtering Options

The administrator can filter the listed false positives, based on the scan type.

Click the drop-down arrow beside 'View' to select the false positives based on scan types. To view the false positives submitted for PCI scans, select 'PCI'.

The following table provides description of information columns in this area.

Column	Description
ID	The identity number of the submitted false positive.
Date	Date and time of submission.
Host	The IP/Domain for which the vulnerability was detected and submitted as false positive.
Notes	Notes entered by the administrator at the time of submission.
Status	Indicates the review status or whether accepted or rejected by the Comodo support team after validation.
Reason	The reason for accepting or rejecting the false positive.

Note: Clicking on the up or down arrows beside each column heading sorts the list of devices in ascending order based on the category.