Internal - Hackerguardian/Hackerproof Common FAQs

July 19, 2018

https://www.hackerguardian.com/hackerguardian/faqs.html?track=8471#gFaq1 Addresses the below questions.

  • All Services: Do I need to allow the HackerGuardian scanning IP address?
  • All Services: I signed up and got the following message: 'No vulnerabilities were found and the host did not respond to any of our checks' - what does this mean?
  • Free Scan: Can I change the IP address that the Free Vulnerability Scan tests?
  • Scan Compliancy - I have a dynamic IP assigned by my ISP. Can I still use HackerGuardian?
  • All Services: Does Comodo maintain any statistics about what % of clients consistently a score of 0% on the 'High Risk' threats? Or what % of all commercial servers would have this score?
  • All Services: How do I upgrade from a trial account to the full version?
  • All Services: After upgrading, will I have to re-enter my IP/Domain information?
  • All Services: I am an existing Comodo account holder (e.g. SSL) - can I use my existing Username and Password during purchase?
  • All Services: Explain the password/username system to me.
  • All Services: Can I scan private (internal) IP addresses?
  • Scan Compliancy - How many concurrent scans can I run?
  • All Services: How many ports does each service test?
  • Scan Compliancy: I get an error when trying to start a scan saying 'no plug-ins are selected'
  • All Services: I have changed my password, and now cannot login to the HackerGuardian website, why?
  • Scan Compliancy: Does HackerGuardian use the latest CVSS v2?
How to identify a HackerGuardian (HG) or HackerProof (HP) customer.
The easiest way to identify a HG or HP customer is to look them up by either their order number or username by using OMS .
How to reset a HackerGuardian (HG) or HackerProof (HP) customer password.
Locate the order number in OMS/SASP. Using the password reset link (https://secure.comodo.com/management/passwordResetRequest.html) reset the customer password using the email from SASP. This will send the customer an email with instructions on how to reset the password. Once they follow the process, it takes about 5 minutes for HackerGuardian to update. Customers may get confused at the email looks to be a replacement password, however, it is a passcode to use to reset their password.
I can't find the customer by their username.
If the customer is thru cynergy, try searching for the company name in all CAPS. Users should have gotten their order number thru an email from cynergy. You can also look them up by their merchant number is OMS, just use the first 10-14 numbers and a % sign to query the system, for example for 389900000213493807142015 just use 38990000021349% in the OMS query under username.
How often does a customer need to perform PCI scans?

The quarterly cycle is based on calendar quarters. The user can scan when ever they require within each quarter. its scans per quarter, they don't roll over. it doesn't really matter when actual day the customer signs up ie 8/15/16. The scans will reset on the 1st of the quarter. Its the same for all account: January, February and March (Q1); April, May and June (Q2); July, August and September (Q3); and October, November and December (Q4)..

Customer wants to know what date specifically does his next quarterly cycle begins.
The easiest way to identify a HG or HP customer is to look them up by either their order number or username by using OMS .
Account status says issued but vulnerability report scan summary states on hold.

This is a fail on a daily scan, 3 of these would cause the trustlogo to be put on hold.

Which SAQ does a customer need to fill out
If a customer is unsure of which SAQ the customer needs to fill out, the customer would need to reference the official PCI SAQ Instructions and Guidelines Document located on the PCI website. (This link is also present on the HackerGuardian SAQ page) . This document goes in depth in which category that the merchant would be classified as and which SAQ the customer must fill out. We cannot help the customer fill out their SAQ as we are not qualified security assessor. A Qualified Security Assessor (QSA) is a person who has been certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance.
Is there a logo or a certificate which shows that the customer is PCI compliant? What does need to do to be considered PCI compliant?
No logo or "certificate of compliance" is provided these are not in scope of the PCI DSS to be considered PCI compliant. In order to be considered PCI compliant, one will need to provide a SAQ (if needed by your merchant or acquirer), a executive summary and vulnerability scan report which states that a passing scan has been performed via a ASV (Approved Scanning Vendor), and the “Attestation of Compliance” to the merchant acquirer or bank. The acquirer or bank determines one's PCI compliance based on the SAQ, vulnerability report, executive summary, and attestation of compliance.
The HackerGuardian/HackerProof scans are being blocked and the scan resulted in an inconclusive scan, do specific IP addresses need to be unblocked or whitelisted for a successful scan?
Yes, in order to have scans performed successfully the following IP address ranges need to be unblocked or white listed 199.66.200.32/48 (which translates as 199.66.200.32 through 199.66.200.48) and 91.209.196.32/28 (which translates as 91.209.196.32 through 91.209.196.48) .
What is the total bandwidth that the scans use in Gbps?
Bandwidth is dependant on what services are on the server. The more open ports with services the more bandwidth will be used. Also if there is a large website hosted that will use more bandwidth.
How many scans can a user have running at one time?

Its based on a formula, 20% of the total IP Addresses on the account with a min of 1 and max of 15.
It also run in blocks with a the first block of x IP Addresses then the next block.

On which domains does the HackerProof Tust Mark logo work.

The HackerProof trustmark will only work on the Fully Qualified Domain Name which was scanned by the HackerProof service.

For example - if the HackerProof scan was performed on www.domain.com, the HackerProof trust mark logo will only work on www.domain.com , and not domain.com or any subdomain of domain.com .

A HackerGuardian/HackerProof scan resulted in a failing scan, what does the customer need to do?

If a HackerGuardian or HackerProof scan has failed, the customer will need to reference the vulnerability report and look at the vulnerabilities which resulted in a failing scan and mitigate these vulnerabilities or implement a compensating control. In the vulnerability report there will also be links to references which will provide how to mitigate these vulnerabilities. If the customer believes that a vulnerability which was found is a false positive, they must report it as a false positive and provide a valid reason why this is a false positive or what compensating control was implemented.

NOTE - For compliance and auditing purposes false positives must be reported by the customer, we (Comodo) cannot report false positives on behalf of a customer.

HackerGuardian Internal Scanning Agent Logs
If a customer needs to provide us logs for troubleshooting an issue where the internal scanning agent cannot connect to HG, the internal scanning agent logs are located in the following directory : /opt/comodo/hg_vpn/log
How long are report packs and reports are available to be accessed on a customer's HackerGuardian account.
As per PCI guidelines, an ASV (Approved Scanning Vendor) must have any reports or report packs generated for a customer be available for 2 years minimum, so all reports generated via HackerGuardian are available for 2 years.
How to unlock a HackerGuardian (HG) or HackerProof (HP) customer.

If a HG/HP account is locked due to unsuccessful log in attempts, if you locate the locked user in the HackerGuardian admin portal, there is an Unlock button. This will clear the timebased lock out, if they are not under a time-based lock out this button will not appear.

Work-around for failing because of a Microsoft Exchange Client Access Server Information Disclosure

http://blog.kurtiskent.com/2014/09/workaround-for-iis-multiple-internal-ip.html

What is the search engine used to analyze vulnerabilities with the product HackerProof ?

The scanning engine used by HackerProof is Nessus, and the vulnerabilities which the scanner searches for are in the Nessus database and the (National Institute of Standards and Technology) NIST's NVD (National Vulnerability Database) database. https://nvd.nist.gov/ We also use proprietary custom plug-ins in addition.

Our Trial HackerProof trust mark is visible by 50% of a site's visitors and not visible to the other 50% based on unique IP address.
The HackerProof trial always runs in A/B mode. What is A/B? A method of testing that allows you to compare and contrast two or more variables.How do I compare the results? Log in to your account at comodo.com to access "trusts served" and "hosted logo views" . This will give you visibility into the number of users that have moused over or clicked through the HackerProof trust mark on your site. But, more importantly, it will give you access to the number of views with and without the HackerProof trust mark and the number of conversions associated with each.
Customer is stating is stating that saq 3.2 form has incorrect questions.

If the customer filled it in previously under a different SAQ version they should select a different SAQ type and then select SAQ D SP again. It will clear out all the old SAQ data which is causing incorrect questions to populate.

when a customer wants to pci compliant but their devices are connected via wifi, do they scan the devices connected over wifi as well as the wifi device providing wifi or just the devices?

It all depends on what is infrastructure is in scope. Generally its external IP Addresses ASV scanned, then internal scanning on any servers on the same network as machines handling card data. It could be more a more complex local setup though.

when a customer wants to cancel their account

None of the licences auto renew so there's nothing to cancel; just advise customers that the account will terminate once the license has expired. The customer can request a refund within the first 30 days; the refund will cancel the license.

Additional Questions:

  1. False positive reporting: Is there a way to apply the same response to multiple vulnerabilities? We can see needing to have hundreds of FPs.

    A: Its possible to mark a single vulnerability which exists across many IP Addresses in one submission. The vulnerability must be on the matching port and the configuration on the systems should be the same. Otherwise each false positive must be marked individually.
  2. Device containing several IPs: How does Comodo intend this to be used? This structure is not familiar to us. We are used to seeing one IP for each host.

    A: Its up to the user how they use devices. The device is to allow the user to divide IP Addresses up as they require, for example one physical location could be one device.
  3. Is there a way to see a simple list of vulnerabilities (holes) that were found that need to be addressed with the recommended solutions and other relevant info? It would be more efficient, during the remediation phase, to only focus on the vulnerabilities that are cause a PCI fail.

    A: Not currently but the executive report is an overview that is easy to look through
  4. How willing is Comodo to implement improvements to the Hacker Guardian portal to make it easier for users? Where does Hacker Guardian fall in the product priority for Comodo?

    A. Were always want to hear feedback. In terms of implementing specific requirements for individual customers it depends on the size of the opportunity.

  5. Can the portal be modified so that we can have multiple logins for the the portal? We’d like to give our clients access to the portal

    A: Its one account per login, but the we do an Acquirer interface to manage merchants compliance.