Frequently Asked Questions

Back to Trust Portal

Some of the IPs in my Digital Footprint don’t belong or no longer belong to my organization (False Positives), while some IPs seem to be missing (False Negatives). What do you do to keep your IP attribution accurate?

SecurityScorecard performs IP attribution using automated processes operating at scale. SecurityScorecard attributes IPs to domains using public RIR, DNS, and SSL data as well as third-party data sources. The data sources are aggregated for each pairing of a domain and IP, and the domain-IP pair is accepted if the overall confidence level exceeds a given threshold.

A team of independent pentest experts audited a random sample of scorecards to objectively determine the accuracy of SecurityScorecard IP and domain attribution. Expert testing of the digital footprints of 13 companies with 1480 IP addresses demonstrated an overall accuracy of 94% for IP attribution.

Some of the related domains appearing on my scorecard are stale or don’t belong to my company. How accurate is domain attribution?

SecurityScorecard utilizes the Domain WHOIS service and passive DNS sources to generate a list of related domains for every scorecard. The list is processed using machine learning algorithms and substring matching to retain only high confidence related domains.

A team of independent pentest experts audited a random sample of scorecards to objectively determine the accuracy of SecurityScorecard IP and domain attribution. Expert testing of the digital footprints of 13 companies with 377 DNS records demonstrated an overall accuracy of 100% for domain attribution.

How often do you update Digital Footprints?

IP footprints are updated daily.

Since SecurityScorecard can’t really see inside my company’s network and account for compensating controls, why should I trust your data?

SecurityScorecard utilizes an “outside-in” process to externally evaluate a company’s cybersecurity posture in a non-intrusive manner. We maintain collaborative relationships with our users and encourage them to submit refutes accompanied with supporting evidence to correct their scorecards, where appropriate. Scorecards are updated to reflect refutes within 48 hours.

You found an issue that is related to our subsidiary but their IP is attributed to our scorecard. How can I trust that information?

Establishing the digital footprint and associated digital assets of an organization begins with the parent domain. SecurityScorecard utilizes automated discovery processes to find all the IPs and related domains associated with the parent domain based on the public record.

Additionally, SecurityScorecard allows users to create Custom Scorecards aligned with distinct business units or subsidiaries and reassign portions of the parent organization’s digital assets to the Custom Scorecards to more accurately reflect their organization’s operations. It is noteworthy that while digital assets may belong to a subsidiary or separate business unit, they may still pose a risk to the parent organization because of network connections.

This machine is not vulnerable because it has backported patches that are not revealed in the banner response.

When a vulnerable product or service has been patched through a backporting process, the patch may not be externally visible. In such cases, users may submit a correction through SecurityScorecard’s refute process, and the scorecard will be updated within 48 hours.

This domain is parked therefore any findings on it are low or no impact.

Some websites may be parked or restricted to only displaying text or images without any interaction with a user. However, such sites may still be exploited, for example, for email spoofing and phishing campaigns if adequate SPF protections are not in place. SecurityScorecard surfaces such issues when sites do not adhere to best practices.

Some of my company’s websites are marketing or text-only sites, but SecurityScorecard flags the URL for Application Security issues, including not enforcing HTTPS.

SecurityScorecard encourages adoption of best practices to maintain good security hygiene. The HTTPS protocol is recommended not only for secure transmission but also to ensure data integrity and to prevent a website from being marked as “not secure” by web browsers.

Why is there a stale issue on my scorecard that is no longer relevant?

SecurityScorecard scores reflect vulnerabilities and overall adherence to good security practices. Each issue type has a life cycle and naturally decays off the scorecard following remediation. The decay times (age-out windows) for each issue type have been determined by security experts and industry standards when available. Following remediation, issues drop off the scorecard upon reaching the age-out time or upon the next scan cycle, whichever occurs first.

Alternatively, a user can submit a refute to SecurityScorecard if an issue is stale and the scorecard will be updated within 48 hours.

A digital asset attributed to my scorecard is actually controlled by a third party - a cloud service provider or a CDN. How does SecurityScorecard distinguish between corporate assets and those belonging to a third party?

Reliable identification of third-party infrastructure can be challenging. To assist in the identification process, SecurityScorecard utilizes DNS CNAME records that point to cloud service providers or SaaS providers. Additionally, SecurityScorecard is enhancing our advanced algorithms that utilize BGP peering topology features to evaluate whether the primary network type behind each ASN is a corporate network, an ISP, or a CDN.

SecurityScorecard also determines the number of different domains which point to the same IP. If a preset threshold is exceeded, the IP is designated as a ‘shared IP’ and security issues associated with it are removed from the domains associated with that IP.

A data breach of a significant vendor was reported in the news this week. Why don’t I see it mentioned in your platform?

SecurityScorecard maintains a large corpus of historical data breaches covering the past 20 years and totalling over 35,000 unique breach reports. This data set helps inform Vendor Risk Management teams and allows our data science team to tune our scoring algorithms to more properly reflect breach likelihood. While not all breaches are publicly reported, SecurityScorecard continues to evaluate new sources of breach data, especially as breach disclosure becomes mandated in certain geographical regions or business sectors.

One of your competitors detected malware on my network, but this finding doesn’t appear on my scorecard. Why not?

SecurityScorecard operates one of the largest networks of malware sinkholes, collecting over 1 billion indicators of compromise every day and discovering malware emanating from hundreds of thousands of organizations. Malware activity is detected externally to a company’s network, without any intrusive measures.

SecurityScorecard’s Threat Intel team includes experts who reverse engineer malware to help characterize the behavior and threat level of different malware families, despite the ongoing efforts of malware authors, criminal groups, and nation state actors, who use evolving coding techniques and communication methodologies to evade detection.

While no single tool or security solution can discover or observe all malware activity, SecurityScorecard does observe a significant amount of malware, which constitutes a representative sample and informs on the security awareness and hygiene of target organizations.

It seems that small companies have ‘A’ scores, while large companies seem to have lower scores trending to ‘D’ or ‘F’. Why is that?

While it may appear this way, it’s factually not true. One of the challenges facing any cybersecurity ratings platform is providing fair scores for both large and small organizations. Larger enterprises with thousands or millions of IPs naturally have a larger attack surface than do smaller firms with a smaller digital footprint. SecurityScorecard has implemented a principled statistical framework which ensures organizations are compared to others of comparable size. This approach ensures a meaningful distribution of scores A to F for large and small companies and all sizes in between.