The Audited by Netcraft service regularly tests your Internet infrastructure, supplies the information you need to maintain your security and eliminate vulnerabilities, and audits that it has found no serious vulnerabilities using a dynamically generated seal. Testing can be as frequent as daily. This means that people can use your services with a much greater degree of assurance than if they know nothing at all about your approach to security.
What does Audited by Netcraft mean?
There is an enormous variation in the degree of care and attention different businesses take with respect to their security, but often little cosmetic difference that can be discerned by the casual user of their services. Even if you already care strongly about security, and diligently test the security of your network, sites and applications from both inside and outside your router, the chances are that few people outside your own organization know whether your network is secure or not.
Many sites involved in ecommerce and doing encrypted transactions prominently display a seal from the provider of their SSL certificate. However, using SSL simply ensures that the traffic between the browser and the site is encrypted - it says nothing about the security of the site itself.
Audited by Netcraft shows that the audited company is actively maintaining its security on the ip addresses ranges registered with Netcraft against remote attacks from the Internet. The "Audited by Netcraft" seal is served dynamically and shows the date of the last clean test when no serious vulnerabilities that could permit remote compromise were detected. Netcraft updates its tests each day, adding new tests for the latest security exploits as they are discovered.
Payment Card Industry Compliance
Due to the increasing level of online credit card fraud, the payment card industry established the Payment Card Industry (PCI) Data Security Standard, to specify security measures for merchants with an online presence. From July 2005, both MasterCard and Visa require that all online merchants processing 20,000 e-commerce transactions per year, or more than 6 million card transactions in total, must undergo regular security testing by an approved third party. Smaller merchants are also recommended to have regular scanning. The PCI standard unites several programs by the different industry groups, including MasterCard's Site Data Protection program (SDP), and Visa’s Cardholder Information Security Program (CISP).
Audited by Netcraft has successfully completed SDP compliance testing. This means that online merchants can use Audited by Netcraft to fulfil the regular scanning requirement of PCI compliance. It also gives our customers the assurance that Audited by Netcraft has itself been independently tested.
How it works
When you sign up and register your company's ip address range for the "Audited by Netcraft" service, Netcraft will test your network address space to determine which machines and services are available to the Internet. If you are with a large organization, Netcraft can help identify all the ip address ranges and domains owned by your company.
Scanning can be performed on daily, weekly or monthly test schedules. Changes between scans are highlighted in the reports, and on-demand rescanning of individual hosts is included at no extra cost.
The tests include a full TCP and UDP port scan to identify available services on each responding host. Each service is tested for information leaks, configuration errors and potential vulnerabilities. Our database of vulnerabilities contains the collective experience gained from testing thousands of networks, from public security advisories, and from our own research. It is continually updated, with over 250 new classes of vulnerability added each year.
Once the tests are complete we will contact you with a url and username/password to use your report. If the report is clean you will also be given the html to display the Audited by Netcraft seal. If vulnerabilities are found, urls to advisories describing the problem and how to correct them are provided, so that you can fix the problems and retest your sites. The advisory database is updated daily, and is cross-referenced to relevant vendor information and CVE names. Support by electronic mail and telephone is included within the service. Once the report is clean you will be given the html to display the Audited by Netcraft seal.
In some cases, for example in the case of a buffer overflow exploit, where we cannot directly test a vulnerability without risking crashing the server, it is possible for a false positive to be generated. You can mark, and sign for, any false positives.
As time goes on, you will make changes to your configurations, and new vulnerabilities in services you use will be discovered. When a change is discovered in your network or sites' Internet profile, you will be alerted, and you can use the information in the advisory to fix the problem, with support as necessary.
Enterprise-wide Auditing
Larger organisations Internet presence can be very disparate geographically making it difficult to identify exposure on an enterprise wide basis. The risks — disclosure of confidential information, brand damage, loss of customer confidence and outright financial loss — are considerable, and often servers located outside of the head office location and main datacenters can be the most vulnerable. Netcraft can help you identify all of your organisations registered netblocks and web sites.
Symmetrically, the benefits of certification are also significant. Nothing can give a consumer more confidence than knowing that the whole of the organisation's Internet exposure is being tested on a daily basis, and that there are no well-known remote vulnerabilities in that company's defences.
With the Audited by Netcraft service, the whole of an Enterprise's internet address space can be tested on a daily basis, vulnerabilities identified and the right people within the organisation notified regardless of where in the world the problems are located.
Costs
The "Audited by Netcraft" service is priced based on the size of the ip address range we need to test, and the number of machines visible to the Internet. We will confirm the ip address ranges with you, and quote a price on this basis.
Please contact us by email, or phone +44-1225-447500 , for more information.
See also:
