McAfee Secure Technical White Paper
|Table of Contents|
|Vulnerability Knowledge Base and Management Portal|
|Secure Portal Architecture and Distributed Scanning Network|
|Proactive Security Scanning and Daily Audits|
|Real-Time and Online Alerts|
|Multiphase Vulnerability Audit Technology|
|The Daily Audit Procedure|
|Phase 1—Port Discovery Scan|
|Phase 2—Network Service Scan|
|Phase 3—Web Application Scan|
|The McAfee SECURE Data Security Standard|
|Vulnerability Management Portal|
|Interactive Vulnerability Assessment and Management|
|Devices and Device Groups|
|Configurable and Manual Scans|
|Multiple User Roles|
|Low Reduced False Positives|
|Device Configuration Editing|
|McAfee Network Architecture|
|Our State-of-the-Art Secure Data Centers|
|For More Information|
Protection of Entire Infrastructure
•Daily scanning of Internet services, ports, operating systems, servers, key applications, firewalls, addressable switches, load balancers, and routers for known vulnerabilities.
Safe and Easy to Use
Most security efforts lose effectiveness over time. Any changes in your web server, web applications, or other infrastructure configuration, can unintentionally open the door to security hazards. With so many new threats identified each day, you need to continually test your security measures and decide which risks are the most important to address. You also need to know which vulnerabilities are the most critical and require your immediate remediation.
Accurate vulnerability scanning and reporting technology identifies the presence of security holes, including dangerous web application risks. This provides the information you need to prioritize and rapidly address risks across business units and IT groups. McAfee SECURE™ service provides scanning and reporting along
with relevant guidance. The service is delivered as Software-as-a-Service, a complete web-based service requiring no installation, no set-up, no hardware purchases, no software development, no security expertise, and no special training. We monitor your servers vulnerabilities 24/7 to proactively ensure your network is protected around the clock
nondestructive vulnerability scanning
and certification to the McAfee SECURE data security standard.
•Concise reports provide specific recommendations for remediation.
Comprehensive and Always Up To Date
•Vulnerability data updated from worldwide sources, Tests for over 40,000 individual vulnerabilities.
More than 80,000 websites certified by the McAfee SECURE service help merchants to keep their website safe from hackers with the McAfee SECURE standard that is an aggregate of industry best practices, designed to provide a level of security that an online merchant can reasonably achieve to help provide consumers with better protection when interacting with websites and shopping online. Our advanced vulnerability discovery and management technology provides an easy-to-use, reliable, and comprehensive solution with a proven ROI.
Vulnerability Knowledge Base and Management Portal
Our up-to-date knowledge base powers our comprehensive network security audits and vulnerability management technology. We update the knowledge base regularly from sources worldwide with tests for newly discovered vulnerabilities. These updates ensure that McAfee SECURE customers are always alerted of the latest vulnerabilities. Our web-based management portal provides secure access to the latest vulnerability data at any time, from anywhere. Extensive tools allow you to launch scans, examine vulnerability details or trends, access patch information, configure alerts, assign user roles, and generate customized reports.
Secure Portal Architecture and Distributed Scanning Network
The McAfee SECURE vulnerability management portal provides secure storage and processing of vulnerability data on an n-tiered architecture of secure load-balanced application servers. All customer data is located in Tier-1 high-availability, continuously monitored data centers. The center is physically and logically secured with biometric access and 24/7 on-site security personnel. Our network of distributed scanning servers allows us to easily and reliably perform daily security audits for tens of thousands of clients located around the world.
Proactive Security Scanning and Daily Audits
The McAfee SECURE service scans websites for vulnerabilities that pose a threat to sensitive customers information. The McAfee SECURE service conducts daily network perimeter scanning and testing for more than 45,000 network and Web application vulnerabilities.
Real-Time and Online Alerts
Following the daily audit, you will receive an immediate email alert directing you to login to your account if new vulnerabilities have been found.
Once logged into your account, vulnerability scan results can be viewed including detailed server fingerprints, open ports, and vulnerability data along with detailed patch recommendations applicable to your specific system configuration. Historical audit data is also available, along with printable audit reports. Should you have any questions or need assistance regarding patching your system, technical support is included in your subscription.
For websites on shared or fully managed servers, a separate account is provided for the web host. The website owner retains full administrative control, but for security reasons, cannot view vulnerability information pertaining to the web host’s infrastructure. In this case, only the web host can view vulnerability details and patch information.
Multiphase Vulnerability Audit Technology
Daily security audits are preformed in three phases: Port Scanning, Network Services Testing, and Web Applications Vulnerability Testing. This multi phase approach to vulnerability auditing allows us to perform more accurate audits with lower load on your servers. It also allows us to run any single test phase on a target to detect changes, test specific ports or vulnerabilities, as well as run web application only tests on multiple websites residing on a single server.
These scans are designed to minimize load on the device being tested. Scans are specifically designed to be non-disruptive/non-invasive and will not slow or lock-up the device or service being tested.
The Daily Audit Procedure
Phase 1—Port Discovery Scan
Phase one is a thorough port scan of the target. Accurately determining which ports on an IP address are open is the crucial first step to a comprehensive security audit. This is not a simple process, however our advanced dynamic port scanning can handle all targets from desktop PCs to the most aggressive firewalls, IDS and IPS systems.
Phase 2—Network Service Scan
After determining which ports are open we begin a network services test on each port. During this phase we thoroughly interrogate the service to determine exactly what software is running and how it is configured. This information is leveraged in order to launch additional service specific and generic tests. run web application only
Phase 3—Web Application Scan
Web application testing is the third phase of our daily security audit. According to industry sources, such as Gartner, an estimated 60-75% of all security breaches today are due to vulnerabilities within the web application layer. Traditional security mechanisms such as firewalls provide little or no protection against attacks on your web applications. All HTTP services and virtual domains are tested for the existence
In addition to vulnerability scanning, the McAfee SECURE service includes technology that helps protect merchant websites and their consumers from “social engineering” tricks like spyware infections, identity theft scams, and sites which send excessive e-mail.
The McAfee SECURE Data Security Standard
In order for a merchant to display the McAfee SECURE trustmark, it is required to submit, at minimum, the target website for auditing and pass the required tests. Sites using Akamai for content distribution should also submit the origin server for audit and review. The website(s) must be audited by McAfee, Inc.’s Automated Vulnerability Assessment technology on a daily basis without interference by Intrusion Detection or Intrusion Prevention System.
McAfee SECURE data security standard is a vulnerability rating system based on Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS) and apply specific rules to adjust severities of individual vulnerabilities based on data compromise potential.
The McAfee SECURE data security standard is separate from the Payment Card Industry Data Security Standard (PCI-DSS). McAfee SECURE requires daily auditing and certification, whereas PCI DSS requires quarterly scanning by an ASV and SSL doesn’t require auditing at all. The appearance of the McAfee SECURE trustmark on a website is not related to the retailer’s PCI compliance.
Vulnerability Management Portal
The portal provides a comprehensive and easy-to-use interface for vulnerability management. Our secure web-based vulnerability management system provides extensive vulnerability data along with complete patch information enabling rapid prioritization and remediation. Configuration of both device (port level) and domain (protocol level) scanning is available. On-demand security audits can be initiated at any time. Multiple user accounts can be created with appropriate roles and privilege levels providing information access and alert levels tailored to your organization. From protecting a single website to auditing a complex network, we provide the appropriate tools for each task.
Interactive Vulnerability Assessment and Management
McAfee doesn’t just provide you with a 100-page list of the vulnerabilities we find like some other scanning vendors. Instead, we give you an interactive vulnerability management tool to view
vulnerabilities by device or device group, sort and view detailed remediation steps, create custom alert levels for each user or role, compare recent audits with data going back up to three years, and configure and generate PDF security management and compliance reports.
Devices and Device Groups
The ability to effectively manage vulnerability data by assigning any network device, group of devices, or IP address to specific groups or individuals is essential to manage your organization’s security. Device classification capabilities, individual devices, or entire IP blocks, can be easily grouped by type, business function, geographic location, or other criteria and then assigned to a user or group of user accounts. This flexible, powerful system can then be used to drive audit schedules, alerting, remediation activities, and reporting throughout your organization.
Configurable and Manual Scans
Scanning time may be scheduled by individual device, device group. Manual scans can be run at any time, while special “denial of service” and “full exploit” scans can only be run in the manual mode. Manual scans of current vulnerabilities only are available to help speed remediation efforts.
Multiple User Roles
Hierarchical multi-user environment with role-based access, alerting and reporting distributed management capabilities enable delegation of vulnerability assessment as well as remediate tasks to multiple users with assigned privileges, while maintaining centralized control for the Security Manager. This functionality simplifies delegation of network security maintenance, facilitates compliance reporting, and provides management with up-to-date overview reports.
McAfee SECURE tests for known vulnerabilities in the following general categories:
•Blind SQL Injection
•SQL Database Error Disclosure
•Local File and Remote File Includes
•Improper Error Handling
•Application Source Code Disclosure
•Expiration Command Injection
•Malicious CGI Scripts
•Client Side Vulnerabilities
•Malicious Affiliations (links)
•Misuse of Personal Information
•Annoyances (excessive pop-ups)
•Scams (business practices)
Low Reduced False Positives
Our false positive management system greatly reduces the frequency of false positives that plague most vulnerability scanning systems. One of our objectives is creating scanning technology with a low level of false positives. Under some conditions, any system will report the “indication” of a possible threat where none actually exists. This typically occurs when the proper patch cannot be confirmed without invasive action. We always err on the side of caution and will notify you to confirm the presence or absence. Our system minimizes false positives by drawing on our extensive customer population. Additionally, we provide a convenient workflow to mark potential threats as false positive.
Device Configuration Editing
Device information including IP address, device type, etc. can be updated at any time. You can add additional devices or domains, create users, initiate on-demand scans, and schedule set scan times.
Extensive executive and compliance reporting capabilities include easily customizable report templates. You have the flexibility to create downloadable executive-level summary reports and detailed technical reports to satisfy regulatory requirements.
McAfee Network Architecture
Our multi-tier network architecture is fast, highly scalable, fully redundant and secure.
Our scan appliances are distributed in multiple networks. Each appliance is individually protected by its own firewall. All remote administration and reporting is through encrypted connections.
Our State-of-the-Art Secure Data Centers
•Integrated biometric card access control
•24/7 CCTV video surveillance and recording
•Security staff on patrol 24/7
•Multiple redundant Tier 1 backbone private peering
•Failover load balancers
•Redundant web server and application server clusters
•Seismically braced racks
•Dual-interlock fire suppression systems
•Uninterruptible Power Supply (UPS with automatic power transfer bridge system)
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world’s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse and shop the Web more securely. Backed by its unrivaled Global Threat Intelligence, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee is relentlessly focused on constantly finding new ways to keep our customers safe.
For More Information
Please call us at 877-302-9965 or visit us online at www.mcafeesecure.com
|2821 Mission College Boulevard||McAfee, McAfee logo, and McAfee SECURE are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and|
|Santa Clara, CA 95054||other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein|
|888 847 8766||are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied.|
|www.mcafee.com||Copyright © 2011 McAfee Inc.|