SecurityScorecard performs IP attribution using automated processes operating at scale. SecurityScorecard attributes IPs to domains using public RIR, DNS, and SSL data as well as third-party data sources. The data sources are aggregated for each pairing of a domain and IP, and the domain-IP pair is accepted if the overall confidence level exceeds a given threshold.
A team of independent pentest experts audited a random sample of scorecards to objectively determine the accuracy of SecurityScorecard IP and domain attribution. Expert testing of the digital footprints of 13 companies with 1480 IP addresses demonstrated an overall accuracy of 94% for IP attribution.
SecurityScorecard utilizes the Domain WHOIS service and passive DNS sources to generate a list of related domains for every scorecard. The list is processed using machine learning algorithms and substring matching to retain only high confidence related domains.
A team of independent pentest experts audited a random sample of scorecards to objectively determine the accuracy of SecurityScorecard IP and domain attribution. Expert testing of the digital footprints of 13 companies with 377 DNS records demonstrated an overall accuracy of 100% for domain attribution.
IP footprints are updated daily.
SecurityScorecard utilizes an “outside-in” process to externally evaluate a company’s cybersecurity posture in a non-intrusive manner. We maintain collaborative relationships with our users and encourage them to submit refutes accompanied with supporting evidence to correct their scorecards, where appropriate. Scorecards are updated to reflect refutes within 48 hours.
Establishing the digital footprint and associated digital assets of an organization begins with the parent domain. SecurityScorecard utilizes automated discovery processes to find all the IPs and related domains associated with the parent domain based on the public record.
Additionally, SecurityScorecard allows users to create Custom Scorecards aligned with distinct business units or subsidiaries and reassign portions of the parent organization’s digital assets to the Custom Scorecards to more accurately reflect their organization’s operations. It is noteworthy that while digital assets may belong to a subsidiary or separate business unit, they may still pose a risk to the parent organization because of network connections.
When a vulnerable product or service has been patched through a backporting process, the patch may not be externally visible. In such cases, users may submit a correction through SecurityScorecard’s refute process, and the scorecard will be updated within 48 hours.
Some websites may be parked or restricted to only displaying text or images without any interaction with a user. However, such sites may still be exploited, for example, for email spoofing and phishing campaigns if adequate SPF protections are not in place. SecurityScorecard surfaces such issues when sites do not adhere to best practices.
SecurityScorecard encourages adoption of best practices to maintain good security hygiene. The HTTPS protocol is recommended not only for secure transmission but also to ensure data integrity and to prevent a website from being marked as “not secure” by web browsers.
SecurityScorecard scores reflect vulnerabilities and overall adherence to good security practices. Each issue type has a life cycle and naturally decays off the scorecard following remediation. The decay times (age-out windows) for each issue type have been determined by security experts and industry standards when available. Following remediation, issues drop off the scorecard upon reaching the age-out time or upon the next scan cycle, whichever occurs first.
Alternatively, a user can submit a refute to SecurityScorecard if an issue is stale and the scorecard will be updated within 48 hours.
Reliable identification of third-party infrastructure can be challenging. To assist in the identification process, SecurityScorecard utilizes DNS CNAME records that point to cloud service providers or SaaS providers. Additionally, SecurityScorecard is enhancing our advanced algorithms that utilize BGP peering topology features to evaluate whether the primary network type behind each ASN is a corporate network, an ISP, or a CDN.
SecurityScorecard also determines the number of different domains which point to the same IP. If a preset threshold is exceeded, the IP is designated as a ‘shared IP’ and security issues associated with it are removed from the domains associated with that IP.
SecurityScorecard maintains a large corpus of historical data breaches covering the past 20 years and totalling over 35,000 unique breach reports. This data set helps inform Vendor Risk Management teams and allows our data science team to tune our scoring algorithms to more properly reflect breach likelihood. While not all breaches are publicly reported, SecurityScorecard continues to evaluate new sources of breach data, especially as breach disclosure becomes mandated in certain geographical regions or business sectors.
SecurityScorecard operates one of the largest networks of malware sinkholes, collecting over 1 billion indicators of compromise every day and discovering malware emanating from hundreds of thousands of organizations. Malware activity is detected externally to a company’s network, without any intrusive measures.
SecurityScorecard’s Threat Intel team includes experts who reverse engineer malware to help characterize the behavior and threat level of different malware families, despite the ongoing efforts of malware authors, criminal groups, and nation state actors, who use evolving coding techniques and communication methodologies to evade detection.
While no single tool or security solution can discover or observe all malware activity, SecurityScorecard does observe a significant amount of malware, which constitutes a representative sample and informs on the security awareness and hygiene of target organizations.
While it may appear this way, it’s factually not true. One of the challenges facing any cybersecurity ratings platform is providing fair scores for both large and small organizations. Larger enterprises with thousands or millions of IPs naturally have a larger attack surface than do smaller firms with a smaller digital footprint. SecurityScorecard has implemented a principled statistical framework which ensures organizations are compared to others of comparable size. This approach ensures a meaningful distribution of scores A to F for large and small companies and all sizes in between.