Posted on Mar 16, 2021
Benjamin Franklin once said, “in this world, nothing is certain except death and taxes.” However, if he were here today, he would likely add cybersecurity risk to that list. Regardless of cybersecurity program maturity or IT infrastructure complexity, every organization faces digital security threats. Managing risk is an ever-evolving process, one that requires iteration. While perfection is ideal, the world is imperfect. Understanding how to remediate and resolve SecurityScorecard security ratings findings can help you iterate your cybersecurity and compliance program for continued visibility into your risk posture.
At SecurityScorecard, we believe that the key to gaining customer trust lies in being transparent about our security rating scores. As part of this commitment to transparency, we ensure customers and their vendors understand how they can remediate or resolve findings.
SecurityScorecard offers three types of rating resolutions:
Since SecurityScorecard uses non-invasive external monitoring technology, we can only verify the effectiveness of public-facing controls. Sometimes, the platform detects control issues that a customer might manage with an internal-facing compensating control. As a non-intrusive continuous monitoring technology, SecurityScorecard recognizes these limitations and works with customers to resolve any issues customers or their vendors have.
We encourage customers to submit refutes with supporting evidence so that we can update scorecards when necessary and appropriate. Scorecards are updated within 48-72 hours of documentation review and approval.
Generally, when onboarding a new customer, the SecurityScorecard platform needs to set baselines. We scan for IP addresses and then monitor based on that discovery. Since our relationship with the customer is new, we sometimes find that this requires a conversation as we learn more about the customer’s IT stack.
Our automated IP attribution process enables SecurityScorecard to operate at scale. To give customers confidence in our processes, we engaged a team of independent pentest experts to audit a random sample of scorecards. Of the 1480 IP addresses attributed to 13 company digital footprints, the team found that our automation demonstrated a 94% accuracy for IP attribution.
SecurityScorecard uses public Regional Internet Registry (RIR), domain name server (DNS), and secure sockets layer (SSL) data in combination with third-party data sources. After aggregating the data sources for each domain and IP pairing, the automation accepts the pair if it exceeds a given confidence level threshold.
As part of our commitment to data transparency, we validated our domain attribution processes by hiring expert, independent pentest experts to review 13 companies’ digital footprints across 377 DNS records. Our automation demonstrated an overall accuracy of 100%.
We use the Domain WHOIS service and passive DNS sources to generate the initial list of related domains for every scorecard. From there, we use machine learning algorithms and substring matching to ensure high confidence for related domains.
We automate IP address discovery to gain an understanding of your digital footprint and associated digital assets based on the parent company’s public record. As with any automation, this process means that human intervention is sometimes required.
Subsidiaries can pose cyber risk to their parent organizations based on how you architect your network connections. However, SecurityScorecard offers a Custom Scorecard functionality so you can align your monitoring across distinct business units or subsidiaries. This enables you to reassign portions of the parent organization’s digital assets to the Custom Scorecard, offering a more accurate view of your operations.
Since SecurityScorecard only scans publicly available data, the platform may not register some types of security updates. For example, many organizations use backporting, which is applying the important security patch code to an older, vulnerable version of the software. If the banner response fails to reveal these backported updates, the SecurityScorecard will not be able to detect them.
However, we encourage companies to submit a correction with the necessary documentation through the refute process. Once reviewed, the scorecard will reflect the change within 48 hours.
Although these websites may not be used as part of daily businesses, they can still pose cybersecurity risks. Cybercriminals can use parked domains without adequate Sender Policy Framework (SPF) protection in phishing attacks or spoof the address. Meanwhile, the HTTPS protocol protects data integrity and prevents browsers from marking the site as “not secure.”
SecurityScorecard’s platform surfaces these issues to ensure full risk visibility and good cyber hygiene practices.
Stale issues are ones that are either considered irrelevant due to their age or ones a customer has remediated. In some cases, security experts or industry standards will deem an issue “aged out.” SecurityScorecard removes these when they reach the age-out time.
The platform removes remediated issues during the next scan cycle.
However, customers can submit a refute to SecurityScorecard for stale issues. The scorecard will be updated 48 hours after the submission’s review and approval.
SecurityScorecard uses DNS CNAME records as a starting point for identifying third-party cloud service or Software-as-a-Service (SaaS) providers. Additionally, we use an advanced algorithm with BGP peering topology features to enhance our ability to evaluate whether the primary network types behind each ASN is a corporate network, ISP, or CDN.
Additionally, if a preset threshold for the number of different domains pointing to an IP is reached, we designate that as a “shared IP.” We then remove security issues from the domains associated with the IP.
To inform our vendor risk management and data science teams, SecurityScorecard maintains a database containing data breach information from the past 20 years, totaling over 35,000 unique breach reports. This enables us to continuously tune our scoring algorithms and breach likelihood metrics.
Even if a data breach is not mentioned by name in the platform, SecurityScorecard continued to evaluate data breach news sources, such as breach disclosure required by certain jurisdictions and business sectors.
SecurityScorecard operates one of the largest malware sinkhole networks, collecting over 1 billion indicators of compromise every day. They also discover malware emanating from hundreds of thousands of organizations daily, without using intrusive measures.
Our Threat Intelligence Team of experts reverse engineer malware across different malware families to characterize their behaviors and threat levels. However, malware authors, criminal groups, and nation-state actors continuously evolve their coding techniques and communication methodologies, making complete detection impossible.
SecurityScorecard informs organizations about their security posture and hygiene. Our platform observes a significant amount of malware to provide this feedback, but it is not a substitute for an anti-virus/anti-malware solution.
SecurityScorecard rates organizations based on their digital footprint. An enterprise organization may have thousands or millions of IP addresses, creating a large attack surface. Meanwhile, small organizations have a smaller digital footprint and attack surface.
To provide fair scores for both types of organizations, SecurityScorecard implemented a principled statistical framework that compares organizations of similar sizes. This enables us to create a meaningful distribution of A through F scores for any size organization.
SecurityScorecard updates IP footprints daily to ensure data integrity. As part of our commitment to transparency and data accuracy, we want to make the process of remediating or resolving findings as easy as possible.
Identify the issue or IP/domain that you want to dispute, correct, or appeal.
To identify the issue you want removed:
To identify the IP/domain you want removed:
Select the reason you want the Issue or IP/domain removed from your Scorecard
To select the reason you want a specific issue removed:
To select the reason you want a specific IP removed:
Users have the ability to add private or public comments to any issue on their Scorecard.
To add a private or public comment on an issue:
SecurityScorecard reviews each submitted dispute and associated supporting evidence and, if warranted, corrects and updates the scorecard. A challenge or resolution is either accepted or denied within 48-hours on average. If accepted, the Scorecard is then updated between 48-72 hours.
Users have visibility into the status of each issue that was submitted for review. The categories include:
Have additional questions? Please reach out to [email protected].
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.