No results found
Even if you already care strongly about security, and diligently test the security of your network, sites, and applications from both internal and external perspectives, few people outside your own organisation will know whether your network is secure or not.
Netcraft seal is your opportunity to demonstrate the care and attention that you take in your internet security to your customers. This independent demonstration of your network’s security means that they can use your services with a much greater degree of assurance.
The largest numbers of remote compromises come from very widespread attacks by worms or attackers trying a set of pre-made, publicly-available exploits across very large numbers of machines. Typically, these attackers will launch their attack against the whole of the internet, or a large IP address space, rather than a single site, and then review the resulting set of compromised machines.
Attackers targeting specific sites may infer from the seal that your organisation has paid particular attention to security, and is up to date against well-known vulnerabilities, and therefore move onto a target that has a less visible defensive stance instead.
Netcraft has an excellent pedigree in security testing and network exploration - Netcraft has been providing network security services, including application and penetration testing, code reviews, and automated security scanning since 1994. Additionally, Netcraft has explored the internet providing research data and analysis on web servers, operating systems, hosting providers, ISPs, TLS certificates, electronic commerce, scripting languages and content technologies on the internet. This gives Netcraft a unique bird’s eye view of what is happening on the internet, and direct access to many of the world’s leading web technology organisations.
Netcraft has a cosmopolitan client list, spread through the UK, the USA, mainland Europe, the Middle East, Asia Pacific and Latin America. Clients include BNP Paribas, British Telecom, Capita, Cisco, Datapipe, Intel, MercadoLibre, Microsoft, the 2010 and 2012 Olympic Games, Rackspace, Skype, Symantec, and IBM/Softlayer.
We encourage clients to test their own networks and many of our clients have experienced internal security teams. However, relying on your own testing can be like marking your own examination paper. Most companies handling credit card data are required to be regularly scanned by an external vendor, under the Payment Card Industry Data Security Standard.
By using Netcraft’s services, you get access to people who test a plethora of different networks each year, not just one — a genuine internet’s eye view of your network from outside of your own firewall — and direct access to a professional second opinion.
A correctly configured firewall can eliminate attacks against services that that are not intended to be visible to the internet. However, many attacks exploit vulnerabilities critical network services such as HTTP, HTTPS, SMTP, and DNS, which must be permitted through your firewall to operate as intended.
Additionally, when you need to make changes to your firewall configuration, external independent testing will give you confidence that you have not inadvertently permitted any more services through the firewall than intended.
After signing up for the “Audited by Netcraft” service, we will scan the network address space or web site being audited. The time taken to scan an IP address can vary according to the number of discovered open ports, with a typical scan of a single address taking a few hours. An Audited By Netcraft scan begins with a full TCP and comprehensive UDP port scan to determine which services are available to the internet. Each service is tested for information leaks, configuration errors and outright vulnerabilities. The HTTP and HTTPS page trees where those services are present are inspected for attributes which may indicate risks. Netcraft tests multiple servers in parallel to reduce the risk of load on any one particular server, and accordingly the elapsed time for a network with 10 visible servers is not significantly greater than a single IP address.
Once the tests are complete we will email a summary containing a link to a web-accessible HTML report protected by both IP address restrictions and user accounts. For the vulnerabilities that have been found, links to advisories describing the problem and how to remedy are provided, so that you can fix the problems and retest your sites. Support by email and telephone is included within the service.
In some cases — for example in the case of a buffer overflow exploit or a denial of service attack, where we cannot directly test a vulnerability without risking crashing the server — we must rely on indirect tests that use version numbers and other metadata to determine if a vulnerability may be present. With these version-based tests, it is possible for a false positive to be generated, particularly on systems that use backports to apply security patches without incrementing displayed version numbers.
All customers can add annotations to their reports to provide evidence that the relevant patch has been applied. Those customers displaying a public Audited By Netcraft seal can request Netcraft confirm these are indeed false positives. Only once the report has no outstanding unmitigated serious vulnerabilities will the “Audited by Netcraft” security seal update to show the most recent passing scan date.
As time goes on, you will make changes to your configurations and new vulnerabilities in services you use will be discovered. When a change is discovered in your network or site’s internet profile, you will be alerted, and you can use the information in the advisory to fix the problem.
Where it is not possible to confirm a potential vulnerability without risking disruption to your services, — such as Denial of Service attacks, or buffer overflows —vulnerabilities may be flagged on the basis of a software version number rather than generating the actual error condition.
This can lead to false positives, whereby a vulnerability that has already been fixed is reported on the basis of the software version.
We continually improve our tools to try and eliminate as many false positive issues as possible, and additionally make it possible for our customers who have a publicly-displayed Audited By Netcraft seal to mark vulnerabilities as patched. The person marking a vulnerability as a false positive effectively signs for this, making accountability possible within large organisations.
Netcraft’s tests include comprehensive TCP and UDP port scans, and tests for large numbers of well known vulnerabilities which will trigger a reactive IDS, IPS or firewall system.
If Netcraft’s scans are blocked by reactive firewalls we will be unable to give you accurate scan results. While this may be great for demonstrating that your firewall system works correctly we strongly recommend ensuring that our scanners are not blocked as this will help ensure our scan results are as good as possible. Please keep in mind that you should not provide us with access to any systems or services which would not usually be visible to the internet. Blocking access to such services using firewalls is expected and encouraged.
Note that systems which only block attack traffic, rather than all traffic once an attack has been detected are acceptable as they will allow scanning to proceed. Similarly, any IDS which performs logging, or standard static firewalls which block ports that should not be internet accessible are perfectly acceptable, although you may wish to ensure that our scanners are whitelisted in any systems which are likely to send alerts to your staff!
PCI scans which are subject to blocking or other scan interference may be considered ‘inconclusive’. Please see the PCI ASV program guide for full details.
If we believe that our scans are being blocked, we will let you know. We will also notify you of the IP address ranges we conduct our tests from in order to allow you to make any configuration changes.
Netcraft will certify web applications that it has tested, showing the date tested, and the number of days spent testing the application. Application testing is very important because even machines that are well administered, and correctly port filtered with no well known vulnerabilities, can be vulnerable to a direct attack on the application’s own functionality.
Whereas automated testing is good at finding common well-known (published) exploits, a consultancy audit can additionally find faults unique to your site, caused by application programming and design errors, as well as more complex configuration errors. A consultancy test can also interpret and exploit leaked information and give constructive advice on solutions.
For more information on web application security testing, see the Web Application Testing page.