An overview of McAfee's Vulnerability Auditing Process

McAfee Secure certification is achieved by passing rigorous daily network security audits. The certification process is completed in six steps. The first three steps are the vulnerability audit itself; comprised of Dynamic Port Scanning, Port-level Network Services Vulnerability Testing, and Web Application Vulnerability Testing. The fourth and fifth steps are alerts whenever vulnerabilities are detected and remediation management using our extensive vulnerability management portal. The result is highly effective, pro-active security.

The Vulnerability Audit Process:

Step 1 - port discovery scan

The first phase is a thorough, interactive port scan of the target. Accurately determining which ports on an IP address are open is the crucial first step to a comprehensive security audit. McAfee's proprietary firewall and IDS/IPS aware network discovery technology is designed to accurately map out any size or complexity of network topology. This is often not a simple process. Unlike most scanning solutions based on Nmap, our advanced dynamic port scanning can handle all targets, from desktop PCs to the most aggressive firewalls, IDS and IPS systems.

Step 2 - network services vulnerability scan

During this second phase of the audit process, we thoroughly interrogate each service running on every available port to determine exactly what software is running and how it is configured. Once this information is acquired it is matched to our Knowledge Base of vulnerabilities in order to launch additional application specific and generic tests of each available service. These tests are based on our extensive knowledge base of over 10,000 vulnerabilities, which is updated every 15 minutes.

Step 3 - web application scan

Web application testing is the third phase of McAfee's daily security audit, and perhaps the most important. According to analyst firm Gartner Group, an estimated 70% of all security breaches today are due to vulnerabilities within the web application layer. Traditional security mechanisms such as firewalls and IDS' provide little or no protection against attacks on your web applications. During this testing phase, all HTTP services and virtual domains are checked for the existence of potentially dangerous modules, configurations settings, CGIs and other scripts, and default installed files. The web site is then "deep crawled," including flash embedded links and password protected pages, to find forms and other potentially dangerous "interactive elements." These are then exercised in specific ways to disclose any application-level vulnerabilities such as code revelation, cross-site scripting and SQL injection. Both generic and software specific tests are performed in order to uncover misconfigurations and coding error vulnerabilities.

This three phase approach to vulnerability auditing enables us to perform more accurate audits with less load on your servers. It also enables us to run any single test or test phase on a target to detect changes, test specific ports or vulnerabilities, or run web application only tests on multiple web sites residing on a single server.

Step 4 - alerting:

After each scheduled daily or manual audit you receive alerts whenever a vulnerability has been discovered. Alerts are configurable by user, device group, and severity level. They can be sent to any number of email enabled devices such as cell phones, and pagers, etc. Between each daily audit, you also receive immediate, preemptive alerts when any new vulnerability added to our knowledge base targets a specific device in your account. This significantly reduces exposure time between daily audits. Additional manual audits can be launched any time. Manual audits can be configured to only retest current vulnerabilities for patch conformation, or to conduct aggressive DOS and "full exploit" type tests.

Step 5 - analysis and remediation:

Interactive tools and wizards enable you to easily manage vulnerability information. Vulnerabilities may be listed to allow ranking by combinations of device groups, severity or effort-to-patch. Configurable device grouping allows expedited remediation planning, delegation and patch management. Complete and detailed easy-to-follow patch instructions are provided within the vulnerability management portal. Links to more information, such as CVE, CERT, BugTraq and vendor resources are also provided. McAfee Secure certification service also includes unlimited email or telephone technical support from CISSP certified security professionals. Whatever your question, or level of expertise, our experienced staff is there to support you throughout the remediation process.

Step 6 - SiteAdvisor Auditing

In addition to vulnerability scanning, the McAfee SECURE service also includes technology that helps protect web sites (and consumers) against "social engineering" tricks like spyware infections, identity theft scams, and sites which send excessive e-mail. The SiteAdvisor technology is based on a system of automated testers which continually patrol the Web to browse sites, download files, and enter information on sign-up forms. The SiteAdvisor rating technology, which users can download in the form of a toolbar, summarizes the safety results into intuitive red, yellow and green ratings to help Web users stay safe as they search, browse and transact online.

Step 7 - McAfee Secure certification

McAfee's patent pending security auditing technology allows the McAfee Secure mark to appear only when a web site's current security status meets the highest published government standards. A maximum of 72 hours is allowed to patch vulnerabilities before the certification mark is replaced by a single-dot "clear" gif image. The certification mark will reappear as soon as a new audit is passed. McAfee Secure certification is fully accredited to meet the scanning requirements for the Payment Card Industry (PCI) standard.