The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024
SecurityScorecard 10 Risk Factors Explained
Increasingly, organizations understand both the financial impact and information security posture value associated with cybersecurity ratings. At SecurityScorecard, we believe that trust begins with transparency. In keeping with this commitment to transparency, SecurityScorecard ensures that our ten risk factors are explained in an easy-to-understand manner that enables business and IT leaders to create meaningful conversations around cybersecurity risk and compliance.
Understand the cyberhealth of your ecosystem across 10 risk factors.
Application Security
Detecting common website application vulnerabilities.
The Web Application Vulnerability module uses incoming threat intelligence from known exploitable conditions identified via: whitehat CVE databases, blackhat exploit databases, and sensitive findings indexed by major search engines. The module ingests data from multiple public data sets, third party feeds, and an internal proprietary indexing and aggregation engine. The score determines the likelihood of an upcoming web application breach and checks for any existing defacement code. The presence of vulnerable applications, outdated versions, and active defacements are used to calculate the overall grade.
Cubit Score
Proprietary algorithms checking for implementation of common security best practices.
This proprietary module measures a variety of security issues that a company might have. For example, we check public threat intelligence databases for IP addresses that have been flagged. These misconfigurations may have high exploitability and could cause significant harm to the privacy of your data and infrastructure.
DNS Health
Detecting DNS insecure configurations and vulnerabilities.
This module measures the health and configuration of a company’s DNS settings. It validates that no malicious events occurred in the passive DNS history of the company’s network. It also helps validate that mail servers have the proper protection in place to avoid spoofing. It also helps verify that DNS servers are configured correctly.
Endpoint Security
Measuring security level of employee workstations.
The Endpoint Security Module tracks identification points that are extracted from metadata related to the operating system, web browser, and related active plugins. The information gathered allows companies to identify outdated versions of these data points which can lead to client-side exploitation attacks.
Hacker Chatter
Monitoring hacker sites for chatter about your company.
The SecurityScorecard Hacker Chatter module is an automated collection and aggregation system for the analysis of multiple streams of underground hacker chatter. Forums, IRC, social networks, and other public repositories of hacker community discussions are continuously monitored, collected, and aggregated in order to locate mentions of business names and websites. The Hacker Chatter score is an informational indicator ranking that is ranked based on the number of indicators that appear within the collection sensors.
IP Reputation
Detecting suspicious activity, such as malware or spam, within your company network.
The IP Reputation and Malware Exposure module makes use of the SecurityScorecard sinkhole infrastructure as well as a blend of OSINT malware feeds, and third-party threat intelligence data-sharing partnerships. The SecurityScorecard sinkhole system ingests millions of malware signals from commandeered Command and Control (C2) infrastructures globally from all over the world. The incoming data is processed and attributed to corporate enterprises. The quantity and duration of malware infections are used as the determining factor for calculating the Malware Exposure Key Threat Indicator.
Network Security
Detecting insecure network settings.
The Network Security module checks public datasets for evidence of high risk or insecure open ports within the company network. Insecure ports can often be exploited to allow an attacker to circumvent the login process or obtain elevated access to the system. If misconfigured, the open port can act as the entry point between a hacker’s workstation and your internal network.
Information Leak
Potentially confidential company information that may have been inadvertently leaked.
This Information Leak module makes use of chatter monitoring and deep web monitoring capabilities to identify compromised credentials being circulated by hackers. These come in the form of bulk data breaches announced publicly as well as smaller breaches, and smaller exchanges between hackers.
Patching Cadence
Out of date company assets which may contain vulnerabilities or risks.
The Patching Cadence module analyzes how quickly a company reacts to vulnerabilities to measure patching practices. We look at the rate at which it takes a company to remediate and apply patches compared to peers.
Social Engineering
Measuring company awareness to a social engineering or phishing attack.
The SecurityScorecard Social Engineering Module is used to determine the potential susceptibility of an organization to a targeted social engineering attack. The Social Engineering module ingests data from social networks and public data breaches and blends proprietary analysis methods. The Social Engineering Score is an informational indicator calculated based on the number of indicators that appear in SecurityScorecard collection sensors.
How we measure scores
The Total Score is calculated based on 200+ weighted issue types and the volume of corresponding findings.
SecurityScorecard assigns a risk-based weight for every issue type, described as Breach Risk. Issue types with higher correlation for breach have a higher weight and issue types with lower correlation for breach resulted in lower weights.
These weighted issue types are categorized within 10 score factors and can be found on every Scorecard.
This dynamic, data-centric approach promises a more accurate reflection of breach likelihood through SecurityScorecard ratings using proven breach history correlated across 200+ issue types.
SecurityScorecard: Security with transparency
SecurityScorecard began with a belief that IT professionals and business leaders needed to communicate cybersecurity risks more effectively. We’ve worked to create an easy-to-understand scoring system based on an A-F rating scale so that all enterprise stakeholders can meaningfully discuss information security.
Companies with an F rating are 13.8x more likely to suffer a data breach versus those with an A rating. In a world where a data breach can lead to reputational and financial ruin, SecurityScorecard works hard to give organizations a way to protect the sensitive information that customers entrust to them.
For a more detailed discussion of our ten risk factors and how we generate our scores, visit our Trust Portal.