I was listening to a recording of some colleagues speaking with a customer about security ratings and cyber insurance and there were some confusions in the discussion that troubled me and I wish that I had been there to help clear them up. Or at least try. So this little musing is meant to do that. Hopefully, by the end of this article, you will understand the difference between:
IP-based observations and host-based observations
collections scanning and attribution scanning
Imagine a jar with 4+ billion marbles in it. That’s the internet that we know and love. In this analogy, each marble is an IPv4 IP address (we’ll ignore IPv6 for the time being, I don’t have a jar large enough to play with numbers of those orders of magnitude right now).
The marbles change color and contain flecks and specs based on the number and type of vulnerabilities they have. For the sake of this explanation, let’s assume that an IP address with nothing listening on any ports is a marble that’s entirely colorless and transparent. It has no vulnerabilities, it is flawless. The color and patterns inside the rest of the marbles in the jar that we scan every day at SecurityScorecard correspond to collections scanning data. They help us produce observations of cyber risk that can be recorded and scored without the use of a domain name, hostname or providing any scanning input parameters. These scans contribute IP-based observations and issue types and are fairly quick to gather.
Our collections scanning infrastructure is located in 12 countries and takes pretty much the same amount of time to scan the internet each day because it’s a simple port mapping task if you have a reasonable number of scanning devices. We scan over 1,400 different commonly used network ports on each of the 4+ billion internet-routable IP addresses. Seeing TCP port 3389 available on an IP address in a scan is almost always a bad thing because that port is typically associated with Windows Remote Desktop protocol and should generally be shielded from direct internet access by a firewall or VPN gateway due to weaknesses that are discovered from time to time in this and other communications protocols and software in a ritual known as Microsoft Patch Tuesday each month. Not all vulnerabilities are Windows vulnerabilities, but more on that subject another time.
Scanning The Unknown
You might be a curious kind of person and want to know who owns each of the marbles? Who owns any given marble is attribution scanning data. And, attribution scanning takes more time than other kinds of scans. One of the reasons for this is because attribution data changes a lot for some marbles (cloud service provider customer IP space for example or internet service provider IP address ranges). We perform attribution scanning on some marbles (about 60–75 million or so) 12 times a day in order to get a good sense of who owns that marble.
Some digital criminals can get into your marble and steal your bank account information or cryptocurrency if they find that your marble (or your bank’s marble for most people) has brown flecks (nothing personal against the color brown here, but I had to pick a color to extend the analogy). So brown flecks are also the kind of thing that a cyber insurance company does not want to write a policy to cover. Why? Because lots of marbles with brown flecks in them have caused the insurance companies to pay more money in claims than they earn in premiums over the last year or two. Truly epic loss ratios have been recorded by the top 20 global cyber insurance providers in 2021. Unfortunately, the global pandemic has been a really good time for a lot of digital criminals.
What’s not so commonly understood (and don’t feel bad if this includes you) is that some vulnerabilities (aka marble colors) we cannot know until we ask the marble for a reply when scanning it by addressing the marble by its owner’s name. Those are the host-based observations and issue types. The scanning parameter here I’m referring to is known as the Host: header. The marble owner’s name is their domain name or host name. An example of the difference between domain name and host name is zip.com (domain name) and www.zip.com (hostname). There are other more precise words to use for this like TLD (Top Level Domain) for the “.com” part or FQDN (Fully Qualified Domain Name) and second or third level domain names, but this is not the time or place to dig into that particular subject. There are more headers and scanning parameters than just this one, but this one goes a long way towards providing insights into a lot of critical vulnerabilities in marbles. We see between 50 and 65 billion vulnerabilities in the jar of marbles that is the internet in our scanning each week. This has increased from 30–40 billion vulnerabilities just a few months ago. That’s a lot of brown flecks, green swirls and orange cats’ eyes.
No marbles are ever created or destroyed, but some marbles go missing for a while and nobody sees them for a long time. But they are not gone, there just is no path to the marble from your marble at the moment. Packets of data find their way across the jar of marbles using any number of different ports and protocols and that’s how TCP/IP works. There are even some marbles in space now and on the planet Mars (linux-based marbles just to be clear). And yes, there are flecks in some of these space marbles too.
A domain name like zip.com is, in this analogy at least, made up of a collection of marbles. We like to call this collection of marbles a digital footprint. A lot of our customers are surprised by the appearance of some of the marbles in their scorecard. Sometimes we get it wrong because attribution is pretty hard to do, but our marble refute rate is usually 1% or less on any given day or week. A company’s collection of marbles changes from time to time as they build and retire parts of their business infrastructure, or the digital footprint scales automatically in the cloud to handle increased visitors to your website (or to play Wordle).
Zero-Days And People
Some marbles suddenly change color when a zero-day vulnerability is discovered. Our scanners might need to be tuned to detect this new color which we can do quite quickly (often within 24 hours) so that we can let our customers know that they are at risk. Sometimes a business owns several different kinds of marbles and it’s our attribution scanning data that helps us identify that two or more marbles are probably owned by the same player. These are called “related domains” and show up on your scorecard due to attribution scanning and its the related domains analysis work that helps us create accurate measures of a company’s aggregate risk. You can also put a few marbles in a bag (we call it a portfolio) and then you can see the average risk of that whole bag of marbles. You can also get automated alerts when a marble changes color or has been breached.
Lastly, let’s not forget that marbles is a game played by people. And people are one of the most important ingredients in any business. But some engineers keep making every marble they touch vulnerable to attack by digital criminals who are pretty good at both playing marbles and taking control of vulnerable marbles. This is likely due to a lack of education and proper training, but at the end of the day we are all human and we all make mistakes. So some marbles have a particular color to them because the last engineer who touched it left behind a vulnerability or two.
Teams of marbles players are quite common and most companies rely heavily on the marbles of other companies (supply chain risk). Our security ratings platform is meant to help you know how many flecked marbles you have and to help you find out how to make them transparent and colorless. Some engineers are able to fix the colored vulnerabilities of any marble they cast their gaze upon. Those are smart engineers and everyone wants to hire them. If you’re one of those engineers you should come and work with us.