Internal - HackerGuardian and HackerProof Overview

July 19, 2018

Video Training Link from 3/12/2018: https://www.dropbox.com/s/1p227ma5ug1qlj0/2018-03-12%2014.14%20Hackerguardian%20etc%20Training.mp4?dl=0

User Guides (Includes General info like acceptable validation documents and comparison of services, PCI Scanning services, hackerproof, and PCI control senter for Acquirers): https://www.hackerguardian.com/help/manualmainpage.html?track=8470&s_track=7639

Hackerguardian Standard scans up to 5 IP 's (only external)

Hackerguardian Enterprise scans up 20 IP's daily (internal and external)
Hackerproof is Hackerguardian Enterprise with a site seal.
_________________________________________________________________________________

HackerGuardian:

HackerGuardian is Comodo's PCI scanning service which allows customers to perform scans on externally facing targets, and internally facing targets (only with an enterprise license).

  • PCI Control Center : is a vulnerability scanning and assessment tool that enables credit card accepting merchants to attain PCI Compliance.
  • Acquirer PCI Control Center : is a management portal built for PCI partners to manage their merchant's PCI Compliance activities including SAQ Status and PCI Scan Status. This is separate product to PCI Scanning.
  • Self-Assessment Questionnaire (SAQ) : is a free compliance assessment tool that allows merchants to determine if they meet PCI Data Security Standards and can be considered PCI Compliant. This feature is included with the PCI Control Center licence.
  • HackerProof : is a version of the PCI Control Center that includes a daily vulnerability scan on one domain that also updates a trust mark tied to that domain's latest daily scan status. PCI enterprise scanning is included in this product.

Download and use the new agent from here: https://www.hackerguardian.com/help/start-internal-scanning.html#install_agent

HackerProof:

HackerProof is Comodo's daily vulnerability scanning service which performs daily vulnerability scans one one FQDN per license. If a customer passes the daily vulnerability scans, they are issued a Hackerproof Trust Mark logo. A HackerProof license also includes an enterprise HackerGuardian Scanning license.

***** HG/HP: It takes 1-2 Business days not including weekends or Holidays for any review of a False Positive or A Report Pack creation.

WebInspector:

Web Inspector is a cloud based service that inspects your website for malware, detects any vulnerabilities to being attacked and protects your website from thousands of security threats, daily! It also embeds PCI compliance scanning (HG/HP) for E-commerce websites that accept credit card payments, to keep them compliant with the payment card industry's mandatory standards. Free for 90 days but no phone support or trust seal.

  • The daily malware scanning service: It does a comprehensive malware scan of the pages of your website and checks every major website blacklisting service to ensure your site isn't listed. This provides immediate notifications in case a problem is discovered
  • The Vulnerability & PCI Scanning Extension: This dedicated dashboard revolutionizes the way you test your website's security. This will give you a daily vulnerability scan and scanning to be PCI compliance.

Hackerguardian Documentation and Common Resources

HG scanner ip address: 178.255.82.64/27 - If they want to scan their internal network we have the HG Agent software which creates a VPN between the scanner and there network to bypass the firewall. Note that PCI only requires scanning external scanning by an ASV

Note that PCI only requires scanning external scanning by an ASV.

Hackerguardian FAQs - http://www.hackerguardian.com/hackerguardian/faqs.html

Hackerguardian User's Manual - http://www.hackerguardian.com/help/manualmainpage.html

HackerGuardian PCI DSS - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

HackerGuardian Reporting False Positives - https://www.hackerguardian.com/help/view-report-dss.html#Report_False_Positives

SAQ 3.2 - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1480359485710

Hackerguardian/Hackerproof Common FAQs

HG SAQ Guide w/Screenshots: HG SAQ Guide Release 15.0.odt

Comodo HackerGuardian JIRA Roadmap

https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)


Escalations