SecurityScorecard 10 Risk Factors Explained

Increasingly, organizations understand both the financial impact and information security posture value associated with cybersecurity ratings. At SecurityScorecard, we believe that trust begins with transparency. In keeping with this commitment to transparency, SecurityScorecard ensures that our ten risk factors are explained in an easy-to-understand manner that enables business and IT leaders to create meaningful conversations around cybersecurity risk and compliance.

Understand the cyberhealth of your ecosystem across 10 risk factors.

Application Security

Detecting common website application vulnerabilities.

The Web Application Vulnerability module uses incoming threat intelligence from known exploitable conditions identified via: whitehat CVE databases, blackhat exploit databases, and sensitive findings indexed by major search engines. The module ingests data from multiple public data sets, third party feeds, and an internal proprietary indexing and aggregation engine. The score determines the likelihood of an upcoming web application breach and checks for any existing defacement code. The presence of vulnerable applications, outdated versions, and active defacements are used to calculate the overall grade.

Cubit Score

Proprietary algorithms checking for implementation of common security best practices.

This proprietary module measures a variety of security issues that a company might have. For example, we check public threat intelligence databases for IP addresses that have been flagged. These misconfigurations may have high exploitability and could cause significant harm to the privacy of your data and infrastructure.

DNS Health

Detecting DNS insecure configurations and vulnerabilities.

This module measures the health and configuration of a company’s DNS settings. It validates that no malicious events occurred in the passive DNS history of the company’s network. It also helps validate that mail servers have the proper protection in place to avoid spoofing. It also helps verify that DNS servers are configured correctly.

Endpoint Security

Measuring security level of employee workstations.

The Endpoint Security Module tracks identification points that are extracted from metadata related to the operating system, web browser, and related active plugins. The information gathered allows companies to identify outdated versions of these data points which can lead to client-side exploitation attacks.

Hacker Chatter

Monitoring hacker sites for chatter about your company.

The SecurityScorecard Hacker Chatter module is an automated collection and aggregation system for the analysis of multiple streams of underground hacker chatter. Forums, IRC, social networks, and other public repositories of hacker community discussions are continuously monitored, collected, and aggregated in order to locate mentions of business names and websites. The Hacker Chatter score is an informational indicator ranking that is ranked based on the number of indicators that appear within the collection sensors.

IP Reputation

Detecting suspicious activity, such as malware or spam, within your company network.

The IP Reputation and Malware Exposure module makes use of the SecurityScorecard sinkhole infrastructure as well as a blend of OSINT malware feeds, and third-party threat intelligence data-sharing partnerships. The SecurityScorecard sinkhole system ingests millions of malware signals from commandeered Command and Control (C2) infrastructures globally from all over the world. The incoming data is processed and attributed to corporate enterprises. The quantity and duration of malware infections are used as the determining factor for calculating the Malware Exposure Key Threat Indicator.

Network Security

Detecting insecure network settings.

The Network Security module checks public datasets for evidence of high risk or insecure open ports within the company network. Insecure ports can often be exploited to allow an attacker to circumvent the login process or obtain elevated access to the system. If misconfigured, the open port can act as the entry point between a hacker’s workstation and your internal network.

Information Leak

Potentially confidential company information that may have been inadvertently leaked.

This Information Leak module makes use of chatter monitoring and deep web monitoring capabilities to identify compromised credentials being circulated by hackers. These come in the form of bulk data breaches announced publicly as well as smaller breaches, and smaller exchanges between hackers.

Patching Cadence

Out of date company assets which may contain vulnerabilities or risks.

The Patching Cadence module analyzes how quickly a company reacts to vulnerabilities to measure patching practices. We look at the rate at which it takes a company to remediate and apply patches compared to peers.

Social Engineering

Measuring company awareness to a social engineering or phishing attack.

The SecurityScorecard Social Engineering Module is used to determine the potential susceptibility of an organization to a targeted social engineering attack. The Social Engineering module ingests data from social networks and public data breaches and blends proprietary analysis methods. The Social Engineering Score is an informational indicator calculated based on the number of indicators that appear in SecurityScorecard collection sensors.

How we measure scores

An organization’s overall Total Score is based on a weighted average of the individual factor scores.

SecurityScorecard gives each factor a “weight,” or value of importance that reflects how important that particular factor is to an organization’s overall cybersecurity posture. Critical or high risks are given greater importance as part of the overall score.

We apply a similar weighted average to each of the individual risk factor groupings for the individual Factor Scores.

For example, since IP reputation is a higher risk than hacker chatter, we give that a greater “weight” when creating the Total Score. Within the IP reputation risk factor category, we look at the different controls and apply a similar ranking to those for evaluating the organization’s “IP reputation” Factor Score.

SecurityScorecard: Security with transparency

SecurityScorecard began with a belief that IT professionals and business leaders needed to communicate cybersecurity risks more effectively. We’ve worked to create an easy-to-understand scoring system based on an A-F rating scale so that all enterprise stakeholders can meaningfully discuss information security.

Companies with an F rating are 7.7x more likely to suffer a data breach versus those with an A rating. In a world where a data breach can lead to reputational and financial ruin, SecurityScorecard works hard to give organizations a way to protect the sensitive information that customers entrust to them.

For a more detailed discussion of our ten risk factors and how we generate our scores, visit our Trust Portal.