Automated Vulnerability Scanning
The Audited by Netcraft service regularly tests your internet infrastructure and supplies you with the information you need to maintain your security and eliminate vulnerabilities. Testing can be carried out as frequently as daily, and provides a dynamically generated seal which audits that no serious vulnerabilities were found. This will give your users and customers the confidence that you are proactive about security, and the assurance that your services are scanned regularly.
What does Audited by Netcraft mean?
There is an enormous variation in the degree of care and attention that businesses take with respect to their security. However, there is often little cosmetic difference that can be discerned by the user of their services. As someone who cares strongly about your company’s security, you want people outside of you organisation to know that you network is secure and that the security of your network, sites and applications has been diligently tested from both inside and outside of your router. To show your commitment to security you need something trusted to show your users and customers.
A great many sites now display a seal from the provider of their SSL certificate. However, using SSL simply ensures that the traffic between the browser and the site is encrypted – it says nothing about the security of the site itself, or the configuration of your servers.
Audited by Netcraft shows your customers that you are actively maintaining your network security and protecting your systems and infrastructure from remote attacks. The “Audited by Netcraft” seal is served dynamically and shows the date of the last test in which no serious vulnerabilities that could permit remote compromise were detected. As Netcraft updates its scanning suite each day, adding new tests for the latest security exploits as they are discovered, you can be confident in the security of a site that is Audited by Netcraft.
Find out more about the scope of our tests.
Payment Card Industry (PCI) Compliance
The Payment Card Industry (PCI) Data Security Standard (DSS) was created in 2004 with the aim of specifying security measures for merchants with an online presence. The PCI Security Standards Council are charged with developing, maintaining and distributing the PCI DSS.
Both Visa and Mastercard require that all online merchants processing over 20k ecommerce transactions per annum undergo regular security testing by an approved third party.
Audited by Netcraft has successfully completed the PCI Scanning Vendor Compliance Testing. This means that online merchants can use Audited by Netcraft to fulfil the regular scanning requirement of PCI compliance. It also gives our customers the assurance that Audited by Netcraft has itself been independently tested.
How it Works
When you sign up and register your company’s IP address range for the “Audited by Netcraft” service, Netcraft will test your network address space to determine which machines and services are available to the internet. If you are a large organisation, Netcraft can help identify all of your IP address ranges and domains.
Scanning can be performed on daily, weekly or monthly test schedules. The tests include a full TCP and UDP port scan to identify available services on each responding host. Each service is tested for information leaks, configuration errors and potential vulnerabilities. Our database of vulnerabilities contains the collective experience gained from testing thousands of networks, using both public security advisories and our own research. It is continually updated, with over 250 new classes of vulnerability added each year.
After your first scan, Netcraft will contact you with login credentials and a URL for accessing your report. If the report is clean you will be given the HTML to display the Audited by Netcraft seal. If vulnerabilities are found, they will be listed in the report, along with links to advisories to help you fix the problems. The advisory database is updated daily, and is cross-referenced to relevant vendor information and CVE names. Once your report is clean you will be given the HTML to display the Audited by Netcraft seal. Following your first report, changes between scans will be highlighted. On-demand rescanning of individual hosts is included at no extra cost, allowing you to expediently test your changes. Support by electronic mail and telephone is included with the service.
Sometimes, such as with buffer overflows, directly testing for a vulnerability can risk crashing your servers. When this is the case, Audited by Netcraft uses indirect tests, which can sometime lead to false positive matches. When this happens, Audited by Netcraft allows false positives to be marked as such and signed off.
As time goes on, you will make changes to your configurations, and new vulnerabilities in services you use will be discovered. When a change is discovered in your network or sites’ internet profile, you will be alerted, and you can use the information in the advisory to fix the problem, with support as necessary.
Enterprise-wide Auditing
If your organisation’s internet presence is geographically disparate, it can be difficult to identify exposure on an enterprise wide basis. The risks – disclosure of confidential information, brand damage, loss of customer confidence and outright financial loss – are manifold, and servers located outside of the head office and main datacenters are often the most vulnerable. Netcraft can help you identify all of your organisations registered netblocks and web sites.
The benefits of certification are significant, as both you and your users can be confident that the whole of your organisation’s internet exposure is being tested on a daily basis, and that there are no well-known remote vulnerabilities in your defences.
With the Audited by Netcraft service, the whole of an Enterprise’s internet address space can be tested on a daily basis, vulnerabilities identified and the right people notified regardless of the location of the problems.
Costs
The “Audited by Netcraft” service is priced based on the size of the IP address range we need to test, and the number of machines visible to the internet. We will confirm the IP address ranges with you, and quote a price on this basis.
For more information, please contact us by email or phone +44 (0) 1225 447500.