Blog, Learning Center March 16, 2021

How to Resolve Findings on Your SecurityScorecard Rating

Benjamin Franklin once said, “in this world, nothing is certain except death and taxes.” However, if he were here today, he would likely add cybersecurity risk to that list. Regardless of cybersecurity program maturity or IT infrastructure complexity, every organization faces digital security threats. Managing risk is an ever-evolving process, one that requires iteration. While perfection is ideal, the world is imperfect. Understanding how to remediate and resolve SecurityScorecard security ratings findings can help you iterate your cybersecurity and compliance program for continued visibility into your risk posture.

What security rating resolution types does SecurityScorecard offer?

At SecurityScorecard, we believe that the key to gaining customer trust lies in being transparent about our security rating scores. As part of this commitment to transparency, we ensure customers and their vendors understand how they can remediate or resolve findings.

SecurityScorecard offers three types of rating resolutions:

  1. Dispute – The company provides evidence that the identified risk/finding was incorrectly associated with their Scorecard and should be removed from the company’s record.
  2. Correction – The company provides clarifying data about a compensating control that is in place which is not visible to our non-intrusive, outside-in view.
  3. Appeal – The company resolved the risk and the issue should be removed from the company’s Scorecard.

Why do some organizations have to resolve or remediate findings?

Since SecurityScorecard uses non-invasive external monitoring technology, we can only verify the effectiveness of public-facing controls. Sometimes, the platform detects control issues that a customer might manage with an internal-facing compensating control. As a non-intrusive continuous monitoring technology, SecurityScorecard recognizes these limitations and works with customers to resolve any issues customers or their vendors have.

We encourage customers to submit refutes with supporting evidence so that we can update scorecards when necessary and appropriate. Scorecards are updated within 48-72 hours of documentation review and approval.

What are some questions new customers might have around security ratings’ findings?

Generally, when onboarding a new customer, the SecurityScorecard platform needs to set baselines. We scan for IP addresses and then monitor based on that discovery. Since our relationship with the customer is new, we sometimes find that this requires a conversation as we learn more about the customer’s IT stack.

Do you get a lot of false positives or false negatives during initial IP attribution?

Our automated IP attribution process enables SecurityScorecard to operate at scale. To give customers confidence in our processes, we engaged a team of independent pentest experts to audit a random sample of scorecards. Of the 1480 IP addresses attributed to 13 company digital footprints, the team found that our automation demonstrated a 94% accuracy for IP attribution.

SecurityScorecard uses public Regional Internet Registry (RIR), domain name server (DNS), and secure sockets layer (SSL) data in combination with third-party data sources. After aggregating the data sources for each domain and IP pairing, the automation accepts the pair if it exceeds a given confidence level threshold.

Do you often find stale or misattributed domains?

As part of our commitment to data transparency, we validated our domain attribution processes by hiring expert, independent pentest experts to review 13 companies’ digital footprints across 377 DNS records. Our automation demonstrated an overall accuracy of 100%.

We use the Domain WHOIS service and passive DNS sources to generate the initial list of related domains for every scorecard. From there, we use machine learning algorithms and substring matching to ensure high confidence for related domains.

Why is a subsidiary IP attributed to a parent domain?

We automate IP address discovery to gain an understanding of your digital footprint and associated digital assets based on the parent company’s public record. As with any automation, this process means that human intervention is sometimes required.

Subsidiaries can pose cyber risk to their parent organizations based on how you architect your network connections. However, SecurityScorecard offers a Custom Scorecard functionality so you can align your monitoring across distinct business units or subsidiaries. This enables you to reassign portions of the parent organization’s digital assets to the Custom Scorecard, offering a more accurate view of your operations.

Why might a security patch update not be recorded by SecurityScorecard?

Since SecurityScorecard only scans publicly available data, the platform may not register some types of security updates. For example, many organizations use backporting, which is applying the important security patch code to an older, vulnerable version of the software. If the banner response fails to reveal these backported updates, the SecurityScorecard will not be able to detect them.

However, we encourage companies to submit a correction with the necessary documentation through the refute process. Once reviewed, the scorecard will reflect the change within 48 hours.

Why are there findings linked to a parked domain, marketing site, or text-only site?

Although these websites may not be used as part of daily businesses, they can still pose cybersecurity risks. Cybercriminals can use parked domains without adequate Sender Policy Framework (SPF) protection in phishing attacks or spoof the address. Meanwhile, the HTTPS protocol protects data integrity and prevents browsers from marking the site as “not secure.”

SecurityScorecard’s platform surfaces these issues to ensure full risk visibility and good cyber hygiene practices.

What is a “stale issue”?

Stale issues are ones that are either considered irrelevant due to their age or ones a customer has remediated. In some cases, security experts or industry standards will deem an issue “aged out.” SecurityScorecard removes these when they reach the age-out time.

The platform removes remediated issues during the next scan cycle.

However, customers can submit a refute to SecurityScorecard for stale issues. The scorecard will be updated 48 hours after the submission’s review and approval.

How does the platform distinguish between corporate and third-party assets?

SecurityScorecard uses DNS CNAME records as a starting point for identifying third-party cloud service or Software-as-a-Service (SaaS) providers. Additionally, we use an advanced algorithm with BGP peering topology features to enhance our ability to evaluate whether the primary network types behind each ASN is a corporate network, ISP, or CDN.

Additionally, if a preset threshold for the number of different domains pointing to an IP is reached, we designate that as a “shared IP.” We then remove security issues from the domains associated with the IP.

How does the platform manage third-party vendor data breaches?

To inform our vendor risk management and data science teams, SecurityScorecard maintains a database containing data breach information from the past 20 years, totaling over 35,000 unique breach reports. This enables us to continuously tune our scoring algorithms and breach likelihood metrics.

Even if a data breach is not mentioned by name in the platform, SecurityScorecard continued to evaluate data breach news sources, such as breach disclosure required by certain jurisdictions and business sectors.

Does SecurityScorecard detect all malware on my network?

SecurityScorecard operates one of the largest malware sinkhole networks, collecting over 1 billion indicators of compromise every day. They also discover malware emanating from hundreds of thousands of organizations daily, without using intrusive measures.

Our Threat Intelligence Team of experts reverse engineer malware across different malware families to characterize their behaviors and threat levels. However, malware authors, criminal groups, and nation-state actors continuously evolve their coding techniques and communication methodologies, making complete detection impossible.

SecurityScorecard informs organizations about their security posture and hygiene. Our platform observes a significant amount of malware to provide this feedback, but it is not a substitute for an anti-virus/anti-malware solution.

Is there a difference between how SecurityScorecard rates large and small companies?

SecurityScorecard rates organizations based on their digital footprint. An enterprise organization may have thousands or millions of IP addresses, creating a large attack surface. Meanwhile, small organizations have a smaller digital footprint and attack surface.

To provide fair scores for both types of organizations, SecurityScorecard implemented a principled statistical framework that compares organizations of similar sizes. This enables us to create a meaningful distribution of A through F scores for any size organization.

What do I need to do to remediate or resolve a finding?

SecurityScorecard updates IP footprints daily to ensure data integrity. As part of our commitment to transparency and data accuracy, we want to make the process of remediating or resolving findings as easy as possible.

Step 1

Identify the issue or IP/domain that you want to dispute, correct, or appeal.

To identify the issue you want removed:

  • Go to My Scorecard
  • Select the specific issue on the Issues Tab
  • Select one or multiple vulnerabilities related to the same issue

To identify the IP/domain you want removed:

  • Go to My Scorecard
  • Go to the Digital Footprint Tab
  • Select one or multiple IPs/domains

Step 2

Select the reason you want the Issue or IP/domain removed from your Scorecard

To select the reason you want a specific issue removed:

  • Hit Resolve and select one of four resolution reasons:
    • I have fixed this
    • I have a compensating control
    • This is not my IP or domain
    • I cannot reproduce this issue and I think it’s incorrect

To select the reason you want a specific IP removed:

  • Hit Remove and select one of four reasons
    • These IPs are not mine
    • These IPs are associated with a domain that is not mine
    • I have compensating controls
    • I am a hosting provider and these IPs are managed by a customer

Step 3 (Optional)

Users have the ability to add private or public comments to any issue on their Scorecard.

To add a private or public comment on an issue:

  • Go to My Scorecard
  • Select the specific issue on the Issues Tab
  • Select add a comment
  • Choose from five pre-canned comments or create a custom comment
  • Make the comment public or private (Public custom comments go through a short approval process before they are added to the Scorecard)

What happens next?

SecurityScorecard reviews each submitted dispute and associated supporting evidence and, if warranted, corrects and updates the scorecard. A challenge or resolution is either accepted or denied within 48-hours on average. If accepted, the Scorecard is then updated between 48-72 hours.

Audit Log Visibility

Users have visibility into the status of each issue that was submitted for review. The categories include:

  • Open, Under Review, Resolved, Declined, and Decayed