1. What is IndusGuard? 

IndusGuard by Indusface is a zero touch, non- intrusive, cloud based solution which safeguards websites by daily, automatic and comprehensive scanning of websites for systems and application vulnerabilities, and malware. IndusGuard is the world’s first web security product to offer a proven blend of vulnerability assessment, application audit and malware monitoring. By leveraging a Security-as-a-Service (SaaS) architecture in the cloud, requiring no software/hardware installation whatsoever, IndusGuard is instantly accessible allowing customers to begin safeguarding their website within minutes. An extension of IndusGuard is IndusGuard Premium, a powerful blend of IndusGuard’s daily, automated scanning

The IndusGuard Security Scan detects and reports vulnerabilities related to Web Application Security, Operating Systems, Databases, Network and Malwares on a daily basis. The IndusGuard Security Scan is architected on globally accepted best practices such as OWASP, OSSTMM, SANS and NIST using a combination of tools and manual techniques through certified analysts. IndusGuard is hosted and delivered from SAS 70 Type 2 certified secure data centre.

5. What is the IndusGuard Seal? 

The presence of an IndusGuard seal certifies that the particular website is scanned and certified on a daily basis to pass the IndusGuard Security Scan. The "live" IndusGuard 'Tested' Seal appears on the website with that day's corresponding date only when the website passes the daily IndusGuard Security Scan test. This assists the website owners to gain the trust of their customers who feel safe when accessing such websites.

1. How can I activate  my IndusGuard Account?

• On confirmation of purchase, you can register your website(s) using the license key provided to you or our sales representative can register your website on behalf of you

• You will then receive an activation confirmation. Click on the activation link, put in any additional information

2. How can I deactivate  my IndusGuard Account?

In order to deactivate one's account the user has to send an email through the link to support@indusguard.com. Your current registered period will run to its end and then your account will be suspended. You can re-activate your account at any time.

3. Does IndusGuard provide a trial to validate the product quality and delivery mechanisms? 

Yes, IndusGuard does provide a free trial for 7 days. Please contact a sales representative at sales@indusguard.com to get your free trial set up.

4. Will activating the IndusGuard Security Scan for the website have an effect on the load on the website?

The IndusGuard scan engine mechanism emulates single user behaviour pattern, which implies that there will be no load on the website due to running of the IndusGuard Scan on one's website.

1. How do I install the IndusGuard Secure Site Seal on my website? 

Once your account is activated with IndusGuard, your web developer or website administrator can download the secure site seal script from your account and add it to the appropriate pages. Once done, the secure site  seal will appear immediately on the desired pages, once your website has successfully cleared the IndusGuard Security scan and tests.

2. How does IndusGuard scan the website and when does the IndusGuard Secure Site Seal appear on my website?

The IndusGuard Scan Engine scans the website from various perspectives under services like Vulnerability Assessment, Application Audit and Malware Monitoring. The scan also ensures that there are no malwares or vulnerabilities in the website. If any vulnerability is found while scanning, it is notified to the user through the reports as well as in the IndusGuard Security Information Centre. The user is then expected to take prompt action to get rid of the malware or vulnerability. The presence of the IndusGuard secure site seal on the website depends on the scan results. If there is any kind of malware or vulnerability found on the website, the date on the secure site seal will stop changing but the secure site seal will stay for the next 72 hours. If the error is still not resolved / fixed, the secure site seal will go off in 72 hours.

4. Does an IndusGuard Security Scan look like an attack to an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS)? 

In order to make a website hack-proof, one would have to try to break into it in much the same way as a hacker would. In other words, the IndusGuard scan on some occasions could indeed be detected as a malicious attack on the IDS/IPS under network scan. What is of greater significance however; is that some of the IndusGuard scans may go undetected even by IDS/IPS as it continues to focus on attack vectors hitherto for unknown. In the end, the objective is to find vulnerabilities that could make your website susceptible to attacks.

5. What happens if any vulnerability or malwares are detected on the website during an IndusGuard Scan? 

If any kinds of vulnerabilities or malwares are found on the website the secure site seal will be there on the website for next 72 hrs but the date will not be updated till the risk or threat is over. If the website owner does not take any action or however, if the errors are not fixed even after 72 hrs, the secure site seal will disappear though the scanning will still continue. Once the error is fixed and there are no vulnerabilities or malwares found on the website, the secure site seal will reappear on its own with the updated date and the mention of ' TESTED' again beside it.

6. What kind of vulnerabilities does IndusGuard detect? 

IndusGuard scan engines secure your website from Web Application , System  and Network Vulnerabilities, and Malwares.

• Vulnerabilities related to web application, such as XSS, Redirections, injection attacks
• Vulnerabilities related to systems such as web application server, incorrect server configurations, weak system access password, system patches and access control.
• Network Vulnerabilities which includes network perimeter security checks for your IDS/IPS, firewalls, router access control.
• Malware Monitoring checks for any presence of malware or malign scripts on the web site that may affect the visitors visiting the website.  

7. Does the website owner require any kind of hardware or software for the installation of IndusGuard services? 

IndusGuard is a zero-touch solution which does not require any installation or updating of any kind of application for it to scan and hence no hardware or software installation is required to begin using IndusGuard.

8. Would I still need IndusGuard if I have an antivirus solution? Why?

Yes. The function of the antivirus is to protect your server against the incoming known viruses, worms and trojans. The IndusGuard Security Scan monitors your website from the outside to detect and report any vulnerability or weakness that would allow unauthorized access to your site. Such vulnerabilities need not arise only because of a malicious code, but they could infect a site through a legitimate software or equipment that is either poorly configured or not updated regularly. IndusGuard complements an anti-virus solution in protecting one's website.

How can I access the results of my websites' daily scans?

IndusGuard provides every valid account an online web based Security Information Centre, which provides a comprehensive snapshot of reported vulnerabilities and malware, remediation suggestions as well as several alert and support options.

How will subscribing to IndusGuard help my business?

The key benefits of website security scanning  such as IndusGuard is that it helps organizations achieve compliance, increases customer confidence and trust, reduces overhead expenses towards managing website downtime and also legal battles or other related implications due to lax security measures. So get comprehensive website security with IndusGuard today and enjoy:
 

• Higher financial returns
• Faster time to market
• Improved processes
• Reduction in costs (Capital/ recurring/ sales cost)
• Enhanced productivity
• Customer satisfaction & loyalty

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.

It stands for  Payment Card Industry - Data Security Standard  and is a set of security practices set forth by major credit card companies to protect card-holder data. 

No it is not required by law.  It is nothing more than a set of recommended security practices set by Credit Card companies 

You should care primarily because these are good security practices that helps secure your network and protect your consumer data , and hence minimize business disruption due to security issues and increase consumer confidence to do more ecommerce online. Though it is not law, there are non compliance fines and sanctions enforced by Credit card companies on merchants not complying to PCI-DSS.   There are also risks of financial implications (loss of revenue, potential lawsuits) due to identity theft and can cause unwanted media attention  and impact to the Organization Brand and Reputation

The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brandsThe program applies to all payment channels (retail, ecommerce etc..). The PCI offers a standard approach for protecting sensitive data for all card brands

The PCI DSS specifies the 12 requirements for compliance, organized into six logically-related groups, which are called “control objectives

Indusface is a authorized distributor of Entrust SSL certificates. This can be used to encrypt transmission of sensitive information over the net and combined with our information protection suite can also be used to protect and encrypt stored data in files and folders.  This specifically helps address items 3 and 4 from the PCI requirements.  This can be bundled with Indusguard website monitoring service to do daily scans of merchant websites and check for vulnerabilities, conduct  application audit and check for Malware.  This helps adhere to item6 from the PCI requirements in a more secure & cost effective manner.  The current alternative of engaging in manual tests/scans is  time consuming and more costly resulting in Merchants doing the bear minimal needed to meet compliance (e.g quarterly scans instead of daily) and compromise security. Indusgurad also provides PCI reports from the scans with specific remediation guidance in the report on what needs to be done to address non-compliance. Our solutions are also supported and backed by a team of qualified security consultants who can also be engaged for additional Security consulting professional services and consulting to help Enterprises meet their security objectives.

Any ecommerce sites which accepts payments over the internet can use our IndusGuard service to do website monitoring and differentiate themselves by providing a secure commerce environment for their customers

Payment Gateway solutions can bundle our services with their offering and differentiate themselves to offer it as a value added service to the merchants along with their payment gateway solution

In a nutshell this partnership can be defined as our technology , your brand.   It is designed to help give the partners full access to the IndusGuard technology ,  apply your brand and identity to it and sell and market it as your own product. 

• Quick time to market  & Rapid deployment , under your brand without having to build it from scratch. 
• Allows you to focus on enhancing your  service offerings to the customer with access to one of the most advanced technology platforms  &  thereby further enhance your brand value
• No need to do any upfront infrastructure cost and purchases
• Gives you access to complete technology developed , hosted and maintained by us , fully online 24x7, but managed by you.
• All the reports , monitoring and alerts needed to manage your clients are provided by us 

The technology and solution is no different from a pure reseller model , except we will provide custom branding for you as per our Privatelabel  branding guidelines.  The reports, dashboard will have your company name and branding instead of ours. 

Technically it is not and as mentioned above the additional thing you get with Privatelabel partnership is the ability to put your branding on the user interfaces and reports.  Privatelabel partners will also have to their own administration panel and have capabilities to do the administration on their own (example , setting up and scheduling a new service, scheduling Scan frequency etc..) 

No there is no additional upfront cost.   The commission in this model depends on sales volume revenue commits

• You want the customer to view and associate the product and service with your brand
• For any support  and Q/A , the customer will call you first and you will have to provide first level support and cannot just be a pass through to us
• If you already have a existing  service and want to add IndusGuard on top of your existing service offerings. (e.g. Webhosting companies, other Managed Security Services). 
• If you may want to use this as a vehicle to start investing in marketing for building your own brand 

• If your core business model is built around taking existing brands to market and reselling them
• If you do not want to invest additional money on marketing and awareness campaign on your own private label new brand. 
• If you want to let the principal handle support once the service is sold to your customer. 

Web Application Security Audit is  a assessment of how secure your Web Application is to withstand attacks from a malicious person or program.  It is essentially a feigned attack simulating what a malicious person may try.

1. Cross-Site Scripting (7 out of 10 websites)

2. Information Leakage (5 in 10 websites)

3. Content Spoofing (1 in 4 websites)

4. Predictable Resource Location (PRL) (1 in 4 websites)

5. SQL Injection (1 in 5 websites)

6. Insufficient Authentication (1 in 6 websites)

7. Insufficient Authorization (1 in 6 websites)

8. Abuse of Functionality (1 in 7 websites)

9. Directory Indexing (1 in 20 websites)

10. HTTP Response Splitting (1 in 25 websites)

Web Security audits are conducted to proactively uncover security holes that can be exploited  and also in specific cases to meet compliance  (e.g. PCI).  It is much more beneficial to have the issues uncovered via Web Application security Audit than via a real exploitation by a hacker.  It helps organization proactively protect their consumers, brand reputation, maintain business continuity  and meet compliance.

Web Application audit can be conducted in automated fashion subscribing to a service from the cloud that can do the test for your external facing web applications.  Most of the companies engage highly paid consultants consultant's to conduct the audit with special tools. 

For a complete comprehensive Audit a hybrid approach is recommended.  It is highly recommended to subscribe to a SaaS offering from a company which is also capable  of doing manual application audits.  The SaaS offering helps provide the basic level of security in a automated manner at a higher frequency (daily scans) in a more cost effective manner.   This can be combined with the Manual audits that can be done once a quarter or monthly to provide the comprehensive level of assurance to the organization for protecting their brand, data and meeting compliance

Just like a Burglar alarm installed in the house or the door lock does not guarantee against theft, but instead provides risk mitigation against theft, similarly proactively monitoring your site and addressing the issues mitigates the threats  and does not eliminate it. New threats keep emerging every day.  By partnering with Indusguard Organizations are assured that they do not have to worry about keeping up with these new threats as the Indusface  R&D team continuously keeps updating the Web Application audit service to address and detect these new threats in applications so that Organization can focus on their core business without having to worry about the technicalities of web application audit and security.

Malware, short for malicious software, is a software designed to secretly access a computer system without the owner's informed consent.

Software is considered to be malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, Trojan horses, spyware, dishonest adware, scareware, crimeware, most rootkits, and other malicious and unwanted software or program.

The prevalence of malware as a vehicle for organized Internet crime, along with the general inability of traditional anti-malware protection platforms to protect against the continuous stream of unique and newly produced malware, has seen the adoption of a new mind-set for businesses operating on the Internet: the acknowledgment that some sizable percentage of Internet customers will always be infected for some reason or another, and that they need to continue doing business with infected customers. The result is a greater emphasis on back-office systems designed to spot fraudulent activities associated with advanced malware operating on customers' computers.

While surfing on the internet, if a user visits a malware infected website or downloads infected software by mistake, the malicious software program gets installed to the user’s computer and does unwanted operations for its creator.

User’s very important information like credit card details, important username and passwords, personal information and other private information can be stolen  by the installed Malware and it can send the information it to its creator  using different mediums of communication.

Adware programs keep showing different non-relevant advertisements to the infected User forcefully!

A worm is self replicating and it needs no intervention from a human user. It will create copies of itself and spread itself all over user’s  network. One of the main ways that it is able to travel is through the use of networks, both the internet and local. A worm is one of the many threats that you can get from online when you leave your network unprotected.

Spyware programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are, in general, installed by exploiting security holes or are packaged with user-installed software, like web browsers.

Or we should be asking Why would one not worry about Malware.  Lack of protection against malware in your websites can risk compromising the safety of your consumers,  can result in disruption in business continuity, brand loss and reputation , unwanted publicity and lastly non compliance (e.g. PCI DSS ) penalties , if steps are not taken to proactively monitor for this.

To protect yourself from being infected by website malware, you need to focus on the security of your website first.

1. The first step is to identify the infected code on the website.

2. After identifying the code, search all the files for the infected code and remove all of them from the infected files of your website. Make sure you have a secure website now.

3. Subscribe to malware scanning service to make sure you have completely healed the infection.

4. Also subscribe to security scanning service to make sure your website is monitored for infection or possibility of infection, because malware infection can happen to vulnerable websites only.