A Deep Dive

in Scoring
Methodology
By Bob Sohval, PhD
VP Data Science

1 ©2024
| A Deep Dive in Scoring
SecurityScorecard Methodology
Inc. All Rights Reserved.
Table of Contents

Cybersecurity Ratings...........................................................................3 Calibration Process ................................................................................ 23

What do Scores Mean?..........................................................................4 Calculating Factor Scores ..................................................................... 23

Factor Scores ............................................................................................4 Breach Penalty ....................................................................................... 25

Cybersecurity Signals...........................................................................5 Keeping the Scoring Framework Current ..........................................26

Signal Processing Workflow............................................................... 19 Calibration Cadence .............................................................................. 26

Signal Collection ................................................................................ 20 Industry Comparisons.........................................................................27

Attribution Engine............................................................................... 20 Industry Categories.............................................................................27

Cyber Analytics.................................................................................... 21 Collaboration with End Users .............................................................28

Scoring Engine..................................................................................... 21 Validation ............................................................................................29

Scoring Methodology.......................................................................... 21 Limitations........................................................................................... 30

Size Normalization.................................................................................. 22 FAQ ...................................................................................................... 31

2 || AADeep
Deep Dive
Dive in Scoring
in Scoring Methodology
Methodology

SecurityScorecard evaluates
organizations’ security profiles
non-intrusively, using an
‘outside-in’ methodology.
This approach enables SecurityScorecard
to operate at scale, measuring and updating
cybersecurity ratings daily on more than one
million organizations globally.
3 | A Deep Dive in Scoring Methodology
Cybersecurity Ratings
The rise of the internet and its global role in e-commerce, business operations,
communications, and social media, has created both opportunities and risks. While
it can fuel economic growth and speed up the dissemination of news and ideas, the
existence of vulnerabilities in commonly used software products and services, and
poor adherence to recommended security practices can expose organizations to
significant financial and reputational harm at the hands of malicious actors — including
both individuals and nation states.
Cybersecurity ratings provide a means for objectively monitoring the security hygiene of
organizations and gauging whether their security posture is improving or deteriorating
over time. The ratings are valuable for vendor risk management programs, determining
risk premiums for cyber insurance, credit underwriting and financial trading decisions,
M&A due diligence information, executive-level reporting, and for self-monitoring.
Cybersecurity ratings, and the extensive information on which they are based, are also
helpful for assessing compliance with cybersecurity risk standards.
What do Scores Mean?
SecurityScorecard conveys detailed analysis of organizations’ security postures
with Total Score, an easy-to-understand letter grade—A (90-100) to F (< 60), Total
Factor Scores
Score directly reflects all the security issues that we discover on an organization’s SecurityScorecard calculates and provides detailed reports on 10 different Grade Score
internet-facing assets using issue type weights. factor scores. The factor scores group and describe different aspects
of cyber risk along multiple axes. They allow security teams to identify A >90
Cybersecurity ratings can be compared to financial credit ratings. Just as a vulnerable areas and focus their remediation efforts where they will have
B 80-89
poor credit rating is associated with a greater probability of default, a poor the greatest impact.
cybersecurity rating is associated with a higher probability of sustaining a data C 70-79
Score factors have numeric scores of 0-100. Issue types are weighted
breach or other adverse cyber event.
based on relative breach risk. Issue type weights are the only weights
D 60-69
that impact the total score. This makes the scoring calculation process
Validation of SecurityScorecard scores using statistical analysis demonstrates
clear and simple to understand. F <60
that companies with an F rating have a 13.8x greater likelihood of incurring a data
breach compared to companies with an A.
Individual Factor Scores are Factor Score of 100 indicates that
calculated based on the severity no cybersecurity issues were
and quantity of security issues or detected for that factor.
findings associated with the factor.

4 | A Deep Dive in Scoring Methodology

 SECURITYSCORECARD'S
10 RISK FACTOR GROUPS
Cybersecurity Signals
SecurityScorecard monitors hundreds of different cybersecurity signals and calculates a score
1 Application Security based on a defined subset of issues. Each issue is associated with one of the ten risk factor
groups and is assigned a weight reflecting its severity based on how closely correlated it is
2 Cubit Score
to breach likelihood. Informational and Positive issues (reflecting good security practice) are

3 DNS Health captured and presented to users for improved awareness, but do not contribute to score.

4 Endpoint Security The security issues measured by SecurityScorecard, along with the assigned factor, severity-
based weight, update cadence and age out window, are presented in the following table.
5 Hacker Chatter
Notes:
6 Informational Leak • Severity levels are subject to change as we continue to improve and refine our scoring
algorithm. These changes will occur as part of our quarterly scoring recalibrations, and the
version number will be updated accordingly.
7 IP Reputation
• Detailed descriptions, risks, and recommendations for each issue type can be found in the
SecurityScorecard platform.
8 Network Security

9 Patching Cadence

10 Social Engineering

5 || AADeep
Deep Dive
Dive in Scoring
in Scoring Methodology
Methodology
Issue Type Factor Severity Recommendation Frequency Age Out
Active CVE Exploitation
IP Reputation LOW Investigate the IP listed in the Findings table below. Then perform an incident response management process. Varies* 15
Attempted
Adware Installation IP Reputation LOW Investigate the devices associated with the IP addresses listed, checking for evidence of adware installations. Varies* 30
Adware Installation Trail IP Reputation LOW Investigate the devices associated with the IP addresses listed, checking for evidence of adware installations. Varies* 365
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Age exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Alleged Breach Incident Hacker Chatter MEDIUM Investigate the alleged activity to determine if it can be substantiated and remediate as necessary. Varies* 30
Review the business necessity of hosting a public proxy server, and remove it from the Internet if possible.
If not possible, consider restricting the service by allowlisting the IP addresses that require access, or
Anonymous Open Proxy IP Reputation LOW Varies* 45
implementing authentication. If there is no known reason for a proxy service to be present, check for
evidence of malware infections or other types of compromise.
Exposing database services to the Internet is not recommended. Consider placing the service behind a VPN,
Apache Cassandra Service
Network Security MEDIUM preventing public access. If making the service private is not possible, restrict the service by allowlisting the IP Weekly 45
Observed
addresses that require access.
Exposing database services to the Internet is not recommended. Consider placing the service behind a VPN,
Apache CouchDB
Network Security MEDIUM preventing public access. If making the service private is not possible, restrict the service by allowlisting the IP Weekly 45
Service Observed
addresses that require access.
Reset the password for the compromised account. If the username is no longer active, ensure that no other
API key exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Apple AirPort Device Detected Network Security LOW Place the wireless administrative portal behind a firewall. Weekly 45

Attack Detected IP Reputation LOW Investigate the devices associated with the IP addresses listed, checking for evidence of malware infections. Varies* 30

Attempted Information Leak Information Leak LOW Investigate the IP listed in the Findings table below. Then perform an incident response management process. Varies* 15
Reset the password. Subscribe to an identity-monitoring service to ensure no unauthorized accounts were made in
Birthday exposed Information Leak INFO Varies* 15
the user's name.
Bitcoin Server Exposed Network Security INFO Assess the business need for exposing a Bitcoin server to the internet, and consider placing it behind a firewall. Weekly 45
Browser Average Age Update the web browsers in question to the latest major release versions. Enable automatic updates
Endpoint Security LOW Varies* None
Indicates Older Versions if available from your web browser vendor and permitted in your environment.
Browser logs contain debug
Application Security LOW Follow best practices to keep sensitive information out of browser logs. Weekly 15
messages
Identification of a CDN could be useful information to your customers and partners, and there is no
CDN Used Network Security LOW Weekly 45
recommended action.
Services presenting expired certificates should cause noticeable failures, so confirm the service is still in use. If the
Certificate Is Expired Network Security LOW Weekly 45
service is not in use, decommission it. Otherwise, contact the CA and arrange issuance of a new certificate.
Certificate Is Revoked Network Security HIGH If the service is not in use, decommission it. Otherwise, contact the CA and arrange issuance of a new certificate. Weekly 45
Certificate Is Self-Signed Network Security LOW If the service is not in use, decommission it. Otherwise, contact the CA and arrange issuance of a new certificate. Weekly 45

6 | A Deep Dive in Scoring Methodology

Issue Type Factor Severity Recommendation Frequency Age Out
Certificate key is smaller
Application Security LOW Migrate to larger keys. Weekly 15
than recommended size

Certificate Lifetime Is Longer

Network Security LOW If the service is not in use, decommission it. Otherwise, contact the CA and arrange issuance of a new certificate. Weekly 45
Than Best Practices

Certificate Signed With Weak

Algorithm
Certificate Without
Revocation Control
Cleartext password exposed
Cloud Provider Service Used
Cobalt Strike C2 Detected
Cobalt Strike C2 server
detected
Content Security Policy (CSP)
Missing
Content Security Policy
Contains 'unsafe-*' Directive
Network Security LOW If the service is not in use, decommission it. Otherwise, contact the CA and arrange issuance of a new certificate. Weekly 45
Network Security LOW If the service is not in use, decommission it. Otherwise, contact the CA and arrange issuance of a new certificate. Weekly 45
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Information Leak MEDIUM Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Identification of a cloud provider service could be useful information to your customers and partners, and there is no
Network Security INFO Weekly 45
recommended action.
When a Cobalt Strike C2 service is detected on a server on which it has no legitimate reason or authorization to
be deployed, it is likely that a breach has occurred. Investigate the server logs to determine what methods the
attacker used to gain access, such as brute force, stolen credentials, exploited vulnerabilities, or random code
IP Reputation INFO Varies* 15
execution (RCE). Quarantine the server as soon as possible. Remove the Cobalt Strike C2 installation from the
server. Change the passwords on any accounts associated with the server. If possible, place the server behind the
firewall. Block the IP address from which the attacker originated.
Investigate the logs on the server on which the Cobalt Strike C2 was installed to determine how the attacker
was able to access your domain. Remove the Cobalt Strike C2 installation from the breached server. Change the
Network Security MEDIUM Weekly 45
passwords on any accounts associated with the server. If possible, place the server behind the firewall. Block the IP
address from which the attacker originated.
Application Security LOW Enable CSP headers via your web server configuration. Weekly 45
• Remove the unsafe directives from the content security policy. For trusted resources that must be used inline
with HTML, you can use nonces or hashes in your content security policy’s source list to mark the resources as
trusted.
• Nonces are randomly generated numbers placed with inline content that you trust. By including the nonce in
both the content and the header, the browser knows to trust the script.
• Example inline script with a nonce:
<script nonce=aBFef03nceIOfn39hr3r satsdfa>alert(‘Hello, world.’);</script>
• Example policy that allows the inline script to be run without unsafe directives:
Application Security LOW • Content-Security-Policy: script-src ‘nonce-aBFef03nceIOfn39hr3rsatsdfa’ Weekly 45
• Warning: For nonces to be effective, they must be randomly regenerated every time the page is loaded. If an
attacker can guess the nonce value, the protection is useless.
• Hashes work similarly to nonces, but only need to be generated once. By taking the hash of a script and
including it in the header, it will mark the script as trusted. If the attacker tries to change the script, the hash
will change and it will no longer be trusted.
• Example inline script to be hashed:x <script>alert(‘Hello, world.’);</script>
• Example policy that allows the inline script to be run without unsafe directives:
• Content-Security-Policy: script-src ‘sha256-qznLcsROx4GACP2dm0UCK CzCG-HiZ1guq6ZZDob_Tng=’

7 | A Deep Dive in Scoring Methodology

Issue Type Factor Severity Recommendation Frequency Age Out
Explicitly specify trusted sources for your script-src and object-src policies. Ideally you can use the 'self' directive
Content Security Policy
Application Security LOW to limit scripts and objects to only those on your own domain, or you can explicitly specify domains that you trust Weekly 45
Contains Broad Directives
and rely upon for your site to function.
Ensure employees are not using the affected credentials for any corporate or third-party logins. Ensure that all
Credentials at Risk Information Leak MEDIUM passwords have been changed since the indication of breach. In the case of corporate passwords, check logs for Varies* 90
repeated failed login attempts or repeated password reset attempts from suspicious IP addresses.
Ensure employees are not using the affected credentials for any corporate or third-party logins. Ensure that all
Credentials at Risk (Historical) Information Leak LOW passwords have been changed since the indication of breach. In the case of corporate passwords, check logs for Varies* None
repeated failed login attempts or repeated password reset attempts from suspicious IP addresses.
Perform a security audit of your DNS server configuration and apply any necessary controls, such as
DNS Server Accessible Network Security MEDIUM Weekly 45
a firewall or DNS Security Extensions.
Perform a system audit to find how the attackers were able to gain entry. Then fix the issue. This may involve
Domain Advertised as having to reset passwords or deploying other authentication methods. When you verify that no trace of the
Hacker Chatter HIGH Varies* 90
Ransomware Victim attacker remains, restore the data from most recent good backups if possible. Make sure to notify parties whose
data may have been compromised.
DOS Attack Attempt Detected IP Reputation LOW Investigate the IP listed in the Findings table below. Then perform an incident response management process. Varies* 15
Elasticsearch Service Remove the service from the Internet. Consider placing the service behind a VPN, preventing public access. If
Network Security MEDIUM Weekly 45
Observed making the service private is not possible, restrict the service by allowlisting the IP addresses that require access.
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Email exposed Information Leak MEDIUM Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Embedded IOT Web Server
Network Security LOW Place the IOT web server behind a firewall. Weekly 45
Exposed
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Employer exposed Information Leak LOW Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Ensure the affected product has an extended support contract that includes security patches. Review the vendor's
End-of-Life Product Patching Cadence MEDIUM Weekly 45
statement of EOL guidelines for replacement products and upgrade to a new product line or manufacturer.
Replace or upgrade the affected product. Review the vendor's statement of EOS guidelines for replacement
End-of-Service Product Patching Cadence MEDIUM products or contact the vendor. In some cases, it may be possible to negotiate a custom support plan for the EOS Weekly 45
product.
Exploit Attempt Detected Information Leak MEDIUM Investigate the IP listed in the Findings table below. Then perform an incident response management process. Varies* 15
It’s not feasible to remove the information off the internet once exposed so mitigation against social engineering
Exposed Personal Information Social Engineering LOW attacks are recommended. Ensure that:\n* employees have regular cyber security awareness training * protocols are Varies* 90
established for handling sensitive information * periodic, unannounced, tests are performed.
It’s not feasible to remove the information off the internet once exposed so mitigation against social engineering
Exposed Personal Information
Social Engineering LOW attacks are recommended. Ensure that:\n* employees have regular cyber security awareness training * protocols are Varies* None
(Historical)
established for handling sensitive information * periodic, unannounced, tests are performed.
Review the business necessity of hosting a public FTP server, and remove it from the Internet if possible.
FTP Service Observed Network Security MEDIUM Weekly 45
If not possible, consider restricting the service by allowlisting the IP addresses that require access.
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Hashed password exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
8 | A Deep Dive in Scoring Methodology
Issue Type Factor Severity Recommendation Frequency Age Out
High Severity Content To resolve this issue, review the version of the CMS and plug-ins in use and ensure that they are updated. Put in
Management System Application Security MEDIUM place a system of constant CMS patching and reviews of new vulnerabilities from the security center of the CMS Weekly 45
vulnerabilities identified developer site.
Monitor CVE lists and vulnerability repositories for exploit code that may affect your infrastructure. Subscribe to
High Severity CVEs Patching the BugTraq mailing list to be alerted to new exploits and vulnerabilities as they are released. Maintain a regular
Patching Cadence LOW Weekly 120
Cadence updating schedule for all soft- ware and hardware in use within your enterprise, ensuring that all the latest patches
are implemented as they are released.
Monitor CVE lists and vulnerability repositories for exploit code that may affect the network infrastructure.
Subscribe to the National Vulnerability Database (NVD) RSS or other feeds to learn of new exploits and
High-severity CVE patching
Patching Cadence INFO vulnerabilities as they are released. Maintain a regular updating schedule for all your software and hardware, and Weekly 1
analyzed
apply all the latest patches as they are released. Also, correlate this analysis with individual CVE findings in your
Scorecard to help you better understand the effectiveness of your patching practices.
Update or patch affected software and hardware. Enable automatic updates if available from your software vendor
and permitted in your environment. Monitor CVE lists and vulnerability repositories for exploit code that may affect
High-Severity Vulnerability in
Patching Cadence MEDIUM your infrastructure. Subscribe to the Bugtraq mailing list to be alerted to new exploits and vulnerabilities as they Weekly 45
Last Observation
are released. Maintain a regular update schedule for all software and hardware in use within your organization,
ensuring that all the latest patches are applied soon after they are released.
HTTP Proxy Service Detected Network Security MEDIUM Verify whether the HTTP proxy service has a legitimate use. Otherwise, remove it from your network. Weekly 45
Review the business necessity of hosting a public IMAP server, and remove it from the Internet if possible.
IMAP Service Observed Network Security MEDIUM Weekly 45
If not possible, consider restricting the service by allowlisting the IP addresses that require access.
Review the business necessity of exposing an ICS device, such as Modbus, DNP3, BACNET, or other critical
Industrial Control System
Network Security MEDIUM infrastructure devices. Place such devices behind a VPN or firewall. If it is not possible to remove the service from Weekly 45
Device Accessible
the internet, consider restricting the service by adding dependent IPs to an allow list.
Insecure channel exposes
Application Security MEDIUM Ensure that all pages in your site enforce use of SSL encryption and HTTPS protocol. Weekly 15
sensitive information
Any HTTP site should redirect the user to a secure (i.e. HTTPS) version of the same domain that was originally
Insecure HTTPS Redirect
Application Security LOW requested (or a higher-level/parent version of that same domain). For example, http://www.example.com should Weekly 45
Pattern
only redirect either to https://www.
Instant messaging account Reset the password. For cases where the username is no longer used, ensure that no other services link to the
Information Leak INFO Varies* 15
exposed affected email/user. Suggest to the affected user to not accept chat requests with unknown parties.
Have members of your organization use a virtual private network (VPN) to prevent threat actors from tracing their
IP address exposed Information Leak LOW Varies* 15
internet activity to the organization. Discourage use of the corporate network for personal use.
Review the business necessity of exposing a public IP camera feed. Only keep it open when necessary,
IP Camera Accessible Network Security MEDIUM for example, for a purposely open feed. Even then, you could embed it in a website without exposing the Weekly 45
underlying camera IP. If removal is not possible,
Regularly monitor IP reputation databases for any posted IP address that belongs to the organization. Investigate
to rule out that the posting is a false positives or malicious. If not, remediate any issues on the IP address that are
IP on blacklist due to
IP Reputation MEDIUM likely causing it to be on a blocklist. For example, scan for, and remove any malware on it. Ask the publisher of the Varies* 15
malicious activity
blocklist to remove the IP address. Deploy email filtering and firewalls using the blocklists to deter inbound spam
and malicious traffic.

9 | A Deep Dive in Scoring Methodology

Issue Type Factor Severity Recommendation Frequency Age Out
iSCSI Device Exposed Network Security LOW Assess the business need for exposing the iSCSI device, and consider placing it behind a firewall. Weekly 45
Java Debugger Detected Network Security INFO Place the Java debugging service behind a firewall or otherwise block it from detection on the internet. Weekly 45
Known compromised
IP Reputation MEDIUM Investigate the IP listed in the Findings table below. Then perform an incident response management process. Varies* 15
or Hostile Host
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Language exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
LDAP Server Accessible Network Security MEDIUM Observe security best practices for your LDAP server and apply controls, such as using TLS to encrypt sessions. Weekly 45
LDAP Server Allows
Network Security MEDIUM Disable anonymous binding on your LDAP server, which is easy to do. Weekly 45
Anonymous Binding
Link redirects to insecure Ensure that all of your website’s link or redirect destinations are secure, or provide visitors with explicit warnings
Application Security LOW Weekly 15
website when they are not.
Low Severity Content To resolve this issue, review the version of the CMS and plug-ins in use and ensure that they are updated. Put in
Management System Application Security MEDIUM place a system of constant CMS patching and reviews of new vulnerabilities from the security center of the CMS Weekly 45
vulnerabilities identified developer site.
Monitor CVE lists and vulnerability repositories for exploit code that may affect your infrastructure. Subscribe to
Low Severity CVEs Patching the BugTraq mailing list to be alerted to new exploits and vulnerabilities as they are released. Maintain a regular
Patching Cadence LOW Weekly 60
Cadence updating schedule for all software and hardware in use within your enterprise, ensuring that all the latest patches
are implemented as they are released.
Monitor CVE lists and vulnerability repositories for exploit code that may affect the network infrastructure.
Subscribe to the National Vulnerability Database (NVD) RSS or other feeds to learn of new exploits and
Low-severity CVE patching
Patching Cadence INFO vulnerabilities as they are released. Maintain a regular updating schedule for all your software and hardware, and Weekly 1
analyzed
apply all the latest patches as they are released. Also, correlate this analysis with individual CVE findings in your
Scorecard to help you better understand the effectiveness of your patching practices.
Update or patch affected software and hardware. Enable automatic updates if available from your software vendor
and permitted in your environment. Monitor CVE lists and vulnerability repositories for exploit code that may affect
Low-Severity Vulnerability
Patching Cadence MEDIUM your infrastructure. Subscribe to the Bugtraq mailing list to be alerted to new exploits and vulnerabilities as they Weekly 45
in Last Observation
are released. Maintain a regular update schedule for all software and hardware in use within your organization,
ensuring that all the latest patches are applied soon after they are released.
A malformed SPF record can occur as the result of different conditions including: creating multiple SPF
records per domain, invalid modifiers, and reaching maximum number of modifiers. The SPF standard can
Malformed SPF Record DNS Health MEDIUM Weekly 15
be found at https:// tools.ietf.org/html/rfc7208. Additionally, there are tools available at the SPF Project, http://
www.open-spf.org/Tools.
Malicious botnet C2 server
IP Reputation HIGH Investigate the IP listed in the Findings table below. Then perform an incident response management process. Varies* 15
detected
Malicious Scan Detected IP Reputation HIGH Investigate the IP listed in the Findings table below. Then perform an incident response management process. Varies* 15
Malicious TOR Exit Node Avoid using Tor for business purposes whenever possible and use a virtual private network (VPN) to encrypt
IP Reputation HIGH Varies* 15
Detected internet traffic.
Malicious TOR Relay/Router Avoid using Tor for business purposes whenever possible and use a virtual private network (VPN) to encrypt
IP Reputation LOW Varies* 15
Node Detected internet traffic.

10 | A Deep Dive in Scoring Methodology

 Issue Type Factor Severity Recommendation Frequency Age Out
Create rules to normalize user-agent strings to enable monitoring of endpoints for out-of-date applications
and unauthorized software. Remove this computer from the network and reinstall its operating system. Disable
Malicious User Agent
IP Reputation LOW unnecessary ports, protocols, or services. Restrict or discontinue any use of FTP and Telnet services, non- Varies* 15
Detected
approved VPN services, or remote network administration tools. Change all account passwords and enforce a
strong password policy. Train employees to anticipate and prevent social engineering attacks.
Malware Controller Observed IP Reputation LOW Investigate the devices associated with the IP addresses listed, checking for evidence of malware infections. Varies* 30
Disconnect the device from your network, back up important files, run a malware scan, and reinstall the operating
Malware Detected IP Reputation HIGH system. Then restore backed-up files. For long-term protection, maintain a schedule of recurring malware scans Varies* 15
and train the organization to anticipate, and prevent, social engineering campaigns.
Malware Infection IP Reputation LOW Investigate the devices associated with the IP addresses listed, checking for evidence of malware infections. Varies* 30
Malware Infection Trail IP Reputation LOW Investigate the devices associated with the IP addresses listed, checking for evidence of malware infections. Varies* 365
Medium Severity Content To resolve this issue, review the version of the CMS and plug-ins in use and ensure that they are updated. Put in
Management System Application Security MEDIUM place a system of constant CMS patching and reviews of new vulnerabilities from the security center of the CMS Weekly 45
vulnerabilities identified developer site.
Monitor CVE lists and vulnerability repositories for exploit code that may affect your infrastructure. Subscribe to
Medium Severity CVEs the BugTraq mailing list to be alerted to new exploits and vulnerabilities as they are released. Maintain a regular
Patching Cadence LOW Weekly 90
Patching Cadence updating schedule for all software and hardware in use within your enterprise, ensuring that all the latest patches
are implemented as they are released.
Monitor CVE lists and vulnerability repositories for exploit code that may affect the net- work infrastructure.
Subscribe to the National Vulnerability Database (NVD) RSS or other feeds to learn of new exploits and vulnerabilities
Medium-severity CVE
Patching Cadence INFO as they are released. Maintain a regular updating schedule for all your software and hardware, and apply all the latest Weekly 1
patching analyzed
patches as they are released. Also, correlate this analysis with individual CVE findings in your Scorecard to help you
better understand the effectiveness of your patching practices.
Update or patch affected software and hardware. Enable automatic updates if available from your software vendor
and permitted in your environment. Monitor CVE lists and vulnerability repositories for exploit code that may affect
Medium-Severity Vulnerability
Patching Cadence MEDIUM your infrastructure. Subscribe to the Bugtraq mailing list to be alerted to new exploits and vulnerabilities as they Weekly 45
in Last Observation
are released. Maintain a regular update schedule for all software and hardware in use within your organization,
ensuring that all the latest patches are applied soon after they are released.
Exposing database services to the Internet is not recommended. Consider placing the service behind a VPN,
Microsoft SQL Server Service
Network Security MEDIUM preventing public access. If making the service private is not possible, restrict the service by allowlisting the IP Weekly 45
Observed
addresses that require access.
Unless you are an ISP or hosting provider, there is no need to run an externally exposed Minecraft server on your
Minecraft Server Accessible Network Security MEDIUM Weekly 45
network. If you do, add people approved for access to an allow list on a firewall.
Follow Center for Internet Security (CIS) benchmarks for best practices to secure targets or potential targets.
Ensure that all IoT devices are on a separate network from systems critical for daily operations. Keep IoT device
Mirai Botnet Traffic Detected IP Reputation MEDIUM Varies* 15
versions and operating systems up to date. Run regular malware scans. Change all account passwords and enforce
a strong password policy. Train employees to anticipate and prevent social engineering attacks.
Mobile Printing Service Determine whether exposing a mobile printing service to the internet is necessary. If not, place it behind a firewall
Network Security LOW Weekly 45
Detected and restrict its access to trusted users.

11 | A Deep Dive in Scoring Methodology

Issue Type Factor Severity Recommendation Frequency Age Out
Exposing database services to the Internet is not recommended. Consider placing the service behind a VPN,
MongoDB Service Observed Network Security MEDIUM preventing public access. If making the service private is not possible, restrict the service by allowlisting the IP Weekly 45
addresses that require access.
MySQL Server Running with
Network Security LOW Require a password challenge for your internet-exposed MySQL server, or place it behind a firewall. Weekly 45
Empty Password
Exposing database services to the Internet is not recommended. Consider placing the service behind a VPN,
MySQL Service Observed Network Security MEDIUM preventing public access. If making the service private is not possible, restrict the service by allowlisting the IP Weekly 45
addresses that require access.
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Name exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Neo4j Database Accessible Network Security INFO Move the Neo4J database onto a VPN, or behind a firewall. Weekly 45
NetBus Remote Access
Network Security INFO Restrict NetBus service to known, essential users. Weekly 45
Service Detected
Network Attached Storage
Network Security HIGH Assess the business need for exposing a NAS device to the internet, and consider placing it behind a firewall. Weekly 45
Device Exposed
This issue type concerns a networking service or device, such as a router or service that is associated with routers like
Networking Service Observed Network Security MEDIUM Weekly 45
BGP, a firewall, or tunneling service. No change or update to your internet-facing assets is necessary.
Non-social media access Reset the password for the compromised account. If the username is no longer active, ensure that no other
Information Leak INFO Varies* 15
token exposed services link to the affected email address, such as cloud-based applications that your organization uses.
Non-standard links detected: Review the need to expose personal contact information and remove any unnecessary instances. Train your staff
Application Security LOW Weekly 15
Contact information displayed to heighten their awareness of signs of social engineering attacks.
Non-standard links detected:
Application Security LOW Follow security best practices for creating URLs and impose restrictions on file URLs if possible. Weekly 15
Local file path exposed
Non-standard links detected:
Application Security MEDIUM Use secure, encrypted protocols for transferring data. Weekly 15
Unsafe File Transfer Protocol
Non-standard links detected:
Application Security INFO Use secure, encrypted protocols for accessing computers remotely. Weekly 15
Unsafe Telnet protocol
November 2022 OpenSSL 3.X
Application Security HIGH Note the SSL versions in the Findings table below. Update vulnerable versions to the 3.0.7 patch. Weekly 45
vulnerability detected
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Occupation exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
According to the Open Resolver Project, the following DNS configurations should be implemented to avoid
Open DNS Resolver Detected DNS Health LOW becoming a target for abuse. Recursive servers should be limited only to enterprise or customer IP ranges, and not Weekly 45
accept connections from IP addresses
This issue type concerns a router, server, or networking device that is running OpenVPN on your network. No
OpenVPN Device Accessible Network Security MEDIUM change or update to your internet-facing assets is necessary, but examining such devices for evidence of Weekly 45
compromise is recommended.

12 | A Deep Dive in Scoring Methodology

Issue Type Factor Severity Recommendation Frequency Age Out
Oracle Database Server
Network Security MEDIUM Move the Oracle database onto a VPN or behind a firewall, and only allow dependent applications to access it. Weekly 45
Accessible
Oracle Service Registry
Network Security INFO Place the Oracle Service Registry behind a firewall. Weekly 45
Detected
Update affected device's operating system. Enable automatic updates if available from your software vendor and
Outdated Operating System
Endpoint Security HIGH permitted in your environment. Maintain a regular update schedule for all software and hardware in use within your Weekly 30
Observed
organization, ensuring that all the latest patches are applied soon after they are released.
Outdated Web Browser Update the web browsers in question. Enable automatic updates if available from your web browser vendor and
Endpoint Security HIGH Varies* 30
Observed permitted in your environment.
Reset the password. Subscribe to an identity-monitoring service to ensure no unauthorized accounts were made in
Parent's name exposed Information Leak INFO Varies* 15
the user's name.
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Password exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Password hint exposed Information Leak MEDIUM Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Phishing Infrastructure IP Reputation INFO Investigate the devices associated with the IP addresses listed, checking for evidence of malware infections. Varies* 45
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Phone number exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Physical address exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Review the business necessity of hosting a public POP3 server, and remove it from the Internet if possible.
POP3 Service Observed Network Security MEDIUM Weekly 45
If not possible, consider restricting the service by allowlisting the IP addresses that require access.
Exposing database services to the Internet is not recommended. Consider placing the service behind a VPN,
PostgreSQL Service Observed Network Security MEDIUM preventing public access. If making the service private is not possible, restrict the service by allowlisting the IP Weekly 45
addresses that require access.
Identify the version of the product running on the IP address listed in the Findings table below. Search for
Potential vulnerability vulnerability advisories about that version published by the product provider or the CVE database, which you can
Application Security INFO Weekly 20
detected link to in the References section of this page. Follow the remediation guidance of the provider or trusted industry
experts.
Potentially Vulnerable Investigate the devices associated with the IP addresses listed, checking for evidence of PVA installations. Watch
IP Reputation HIGH Varies* 30
Application (PVA) Installation for potentially malicious interactions between expired domains and PVAs.
Potentially Vulnerable
Investigate the devices associated with the IP addresses listed, checking for evidence of PVA installations. Watch
Application Installation (PVA) IP Reputation LOW Varies* 365
for potentially malicious interactions between expired domains and PVAs.
Trail
Review the business necessity of running a PPTP service on your network. PPTP is an obsolete and insecure method
PPTP Service Accessible Network Security MEDIUM Weekly 45
for implementing VPNs. Migrate the service to a more secure VPN implementation, such as OpenVPN.
Assess whether there is a business need to expose your printer to the internet. If so, prevent access by
Printer Detected Network Security MEDIUM Weekly 45
unknown parties by placing it behind a firewall or using an access control list (ACL).

13 | A Deep Dive in Scoring Methodology

Issue Type Factor Severity Recommendation Frequency Age Out
No patch currently exists. However, monitor the Microsoft Security Response Center advisory in the references for
this issue to keep abreast of relevant updates, including a patch release. Microsoft has posted several detection
Product Potentially Impacted methods for exploitation of these CVEs using Microsoft Defender for the Endpoint and Microsoft Defender Antivirus
by CVE-2022-41040 & Network Security LOW related to webshell exploitation including the exister Chopper detections. If possible, remove the microsoft-exchange Weekly 45
CVE-2022-41082 service from the public Internet and place it behind a firewall or VPN, so only internal users can access it. This will
mitigate exploitation by non-organization entities, though this will not mitigate an insider threat or adversary already
within the network looking to pivot off these vulnerabilities to gain higher level access to systems.
No patch currently exists; however, monitor the Microsoft Security Response Center advisory in the references for this
issue to keep abreast of relevant updates, including a patch release. Microsoft has posted several detection methods
for exploitation of these CVEs using Microsoft Defender for the Endpoint and Microsoft Defender Antivirus related
Product Potentially Impacted
Network Security LOW to webshell exploitation including the exister Chopper detections. If possible, remove the microsoft httpapi or Weekly 45
by PowerShell Remoting RCE
microsoft-httpapi service from the public Internet and place it behind a firewall or VPN, so only internal users can
access it. This will mitigate exploitation by non-organization entities, though this will not mitigate an insider threat or
adversary already within the network looking to pivot off these vulnerabilities to gain higher-level access to systems.
Update Log4j to 2.17.1 or a later version immediately. This version only runs on Java 8, so make sure to
Product Running Vulnerable
Network Security HIGH update Java if you are using an earlier version. If multiple Log4j installations are on an impacted machine, note Weekly 45
Log4j Version
each can contain a vulnerable version of Log4j, and you may need to remediate each independently.
Products Susceptible To Update your internet-facing products that are susceptible to ransomware attacks, evaluate the necessity
IP Reputation LOW Weekly 45
Ransomware Exploits Exposed of exposing them to the internet, and tightly limit their access based on business need, if possible.
This issue type concerns Pulse Connect Secure VPN running on routers, servers, or networking devices on your
Pulse Connect Secure VPN
Network Security MEDIUM network. No change or update to your internet facing assets is immediately necessary, but examining devices that Weekly 45
Product Observed
run the VPN is recommended.
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Race exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Ransomware Infection Look for evidence of ransomware infection in the assets associated with the IP addresses listed in
IP Reputation HIGH Varies* 30
Detected the Findings table below.
Ransomware Infection Trail Look for evidence of ransomware infection in the assets associated with the IP addresses listed in
IP Reputation HIGH Varies* 365
Detected the Findings table below.
Determine the business need of exposing these services to the public internet. If possible, isolate them
Ransomware –
behind a secure, patched VPN service or firewall with appropriate allowlisting for approved users. If they must be
Susceptible Remote Access Cubit Score HIGH Varies* 1
exposed, keep the services patched and updated continuously. Keep them under constant
Services Exposed
observation with logging and security monitoring.
Exposing remote access services to the Internet is not recommended. Consider placing the service
RDP Service Observed Network Security MEDIUM behind a VPN, preventing public access. If making the service private is not possible, restrict the service Weekly 45
by allowlisting the IP addresses that require access ransomware_association
Any HTTP site should immediately redirect users to HTTPS-protected URLs and ensure that any further redirects
Redirect Chain Contains HTTP Application Security HIGH do not occur over HTTP. Prefer the usage of HTTPS URLs over HTTP when available, avoiding an unnecessary Weekly 45
redirect.
Exposing database services to the Internet is not recommended. Consider placing the service behind a VPN,
Redis Service Observed Network Security MEDIUM preventing public access. If making the service private is not possible, restrict the service by allowlisting the IP Weekly 45
addresses that require access.

14 | A Deep Dive in Scoring Methodology

Issue Type Factor Severity Recommendation Frequency Age Out
This issue type concerns a remote access service, such as a router providing a remote login service, or a
Remote Access Service
Network Security LOW Windows server providing a remote assistance service. Examine devices on a case-by-case basis, but no change Weekly 45
Observed
or update to your internet-facing asset is immediately necessary.
Exposing rsync services to the Internet is not recommended. Consider placing the service behind a VPN,
rsync Service Observed Network Security MEDIUM preventing public access. If making the service private is not possible, restrict the service by allowlisting the IP Weekly 45
addresses that require access.
Security question Reset the password for the compromised account. If the username is no longer active, ensure that no other
Information Leak MEDIUM Varies* 15
and answer exposed services link to the affected email address, such as cloud-based applications that your organization uses.
Server certificate issued by Audit the site for any certificates issued by CAs in countries on denylists. Replace such certificates with those issued
Application Security LOW Weekly 15
country on denylist by CAs in reputable nations.
Inspect and address any operational problems on the server, especially those that could affect security. Keep a
Server error detected Application Security LOW Weekly 15
regular maintenance schedule for servers, applying patches whenever updates are available.
Server with Expired Avoid using a service on a website with an expired certificate. If possible, ask the website owner to renew the
Application Security LOW Weekly 15
Certificate Contacted expired certificate, especially if it is critical to your business.
Session Cookie Missing Set session cookies with the 'HttpOnly' attribute to ensure they can not be accessed by any other means.
Application Security HIGH Weekly 15
'HttpOnly' Attribute A cookie marked with 'HttpOnly' will prevent any malicious injected scripts from being able to access it.
Change the default 'Secure' attribute from FALSE to TRUE to ensure session cookies are sent only with HTTPS. The
Session Cookie Missing
Application Security HIGH 'Secure' attribute should be set on each cookie to prevent cookies from being observed by malicious actors. Implement Weekly 15
'Secure' Attribute
the 'Secure' attribute when using the Set-Cookie parameter during authenticated sessions.
Site does not enforce HTTPS Application Security LOW Any site served to a user (possibly at the end of a redirect chain) should be served over HTTPS. Weekly 15
Site Does Not Use Best
Add one of the following headers, using the 'DENY' or 'ALLOW-FROM' directive, to responses from this
Practices Against Embedding Application Security LOW Weekly 45
website: X-Frame-Options: DENY' X-Frame-Options: ALLOW-FROM https://example.com/'
of Malicious Content
Site emits visible browser logs Application Security LOW Prevent emission of browser logs in the developers console. Weekly 15
Site fails to load page
Application Security LOW Maintain a regular audit cycle for website code, replace bad code, and enforce secure coding standards. Weekly 15
components
Site links to insecure websites Application Security LOW Avoid providing links to insecure websites whenever possible. Weekly 15
Avoid using WebSockets to send user data. If there is a business requirement to use that protocol, add security
Site may use WebSockets measures such as: having WebSocket servers validate the "Origin" header against the expected origins during
Application Security LOW Weekly 15
to send user data connection establishment and using tokens or similar methods to authenticate the WebSocket connection when
sensitive data is being transferred over the WebSocket
Site receives data over Monitor the data the website is receiving from third-party sources in real time, in case malicious or
Application Security LOW Weekly 15
Websockets undesirable content is being sent directly to visiting browsers. Also, audit the content for sensitive data.
Site requests data over
Application Security LOW Ensure that all web pages and all content they contain is delivered over a SSL channel with HTTPS protocol. Weekly 15
insecure channel
Exposing SMB to the Internet is not recommended. Consider placing the service behind a VPN, preventing public
SMB Service Observed Network Security MEDIUM access. If making the service private is not possible, restrict the service by allowlisting the IP addresses that require Weekly 45
access.

15 | A Deep Dive in Scoring Methodology

Issue Type Factor Severity Recommendation Frequency Age Out
Determine whether your organization intended for the identified SMTP server to be running on an unusual port. If
SMTP Server on Unusual Port IP Reputation MEDIUM Weekly 45
not, investigate why and remediate accordingly.
This issue type concerns a device running an exposed SOAP service on your network, which could be serving web
SOAP Server Accessible Network Security MEDIUM Weekly 45
application traffic, device traffic, or other control services.
Reset the password. For cases where the username is no longer used, ensure that no other services link to the
Social media account exposed Information Leak INFO Varies* 15
affected email/user. Have the affected user set privacy controls to their social media accounts.
Reset the password for the compromised account. If the username is no longer active, ensure that no other services
Social media token exposed Information Leak INFO link to the affected email address, such as cloud-based applications that your organization uses. Varies* 15
Suggest to the affected user to check their social media account and delete unknown apps from their account.
Social Security number Reset the password for the compromised account. Subscribe to an identity-monitoring service to prevent creation
Information Leak MEDIUM Varies* 15
exposed of unauthorized accounts in the compromised name.
SOCKS Proxy Service Assess whether your use of a SOCKS proxy has a legitimate business purpose. If not, consider making it
Network Security MEDIUM Weekly 45
Detected inaccessible to the internet.
SPF Record Contains a Softfail To resolve this issue, enumerate the list of email servers that are authorized to send email on behalf of the domain.
DNS Health MEDIUM Weekly 15
without DMARC Update the SPF and DMARC records with the proper anti-spoofing controls.
To resolve this issue, enumerate the list of email servers that are authorized to send email on behalf of
SPF Record Found Ineffective DNS Health MEDIUM the domain. Update the SPF record with the correct email authorization list. See the reference link for Weekly 15
conventions to ensure that your records provide maximum protection against spoofing.
Create a valid Sender Policy Framework (SPF) record. Ensure the configuration of the SPF DNS record to verify
syntax and MTA servers. Test the configuration to make sure its valid by checking the header of an incoming email
SPF Record Missing DNS Health MEDIUM looking for ""spf=pass"" Allow for DNS caching during testing; it may take up to 48 hours to fully propagate across Weekly 15
the Internet. The nature of the SMTP protocol does not allow for complete prevention of spoofed emails, however
the SPF header will reveal whether the email is authentic.
SSH Software Supports Configure the SSH service to support only SSH protocol version 2 or higher. Upgrade the SSH service
Network Security MEDIUM Weekly 55
Vulnerable Protocol software to the latest version of software.
SSH Supports Weak Cipher Network Security MEDIUM Configure the SSH server to disable Arc four and CBC ciphers. Weekly 55
SSH Supports Weak MAC Network Security MEDIUM Configure the SSH server to disable the use of MD5. Weekly 55
SSL/TLS Service Supports
Network Security HIGH Disable the protocols listed in the evidence column of the measurement. Weekly 45
Weak Protocol
Investigate the devices associated with the IP addresses listed, checking for evidence of malware infections or
Suspicious Traffic Observed IP Reputation INFO Varies* 30
other types of compromise.
Telephony/VoIP Device This issue type is an internet-facing telephony service or device, such as a VoIP product or service associated with
Network Security HIGH Weekly 45
Accessible SIP, a SIP proxy, or similar protocols. No change is necessary, as there is no inherent risk.
Telnet is an inherently unsafe protocol. Remove the service from the Internet. If a remote access service is
Telnet Service Observed Network Security MEDIUM necessary, replace Telnet with SSH if possible. If not possible, often the case with older networked hardware, Weekly 45
ensure the service is only accessible by VPN.

16 | A Deep Dive in Scoring Methodology

Issue Type Factor Severity Recommendation Frequency Age Out
Perform a complete Digital Forensics and Incident Response (DFIR), starting with the flagged asset and expanding
to any assets that communicate with it. Refer to the Findings table below for the implicated IP address and port
Threat actor infrastructure
IP Reputation INFO numbers, the protocol used to host the threat actor infrastructure, and the SHA256 hash value of the malware Varies* 30
detected
detected in your asset’s communications. After removing the threat actor’s software, contact any organization who
blocked your affected IPs, and provide evidence to have the block removed.
There are no drawbacks to implementing OCSP stapling and servers should adopt this practice wherever
TLS Certificate Status
possible. In addition to providing clear security benefits, implementation of OCSP stapling removes the need for
Request ("OCSP Stapling") Network Security INFO Weekly 45
maintenance of CRLs and can vastly reduce the traffic on organization-owned OCSP servers, which also provides
Detected
operational benefits.
TLS Service Supports Weak
Network Security LOW Disable the cipher suites listed in the evidence column of the measurement. Weekly 45
Cipher Suite
TOR Server Detected Network Security HIGH Unless there is a specific, legitimate business reason for running it, remove the TOR server from your network. Weekly 45
Unsafe Implementation Of Please ensure that all website elements (i.e. <script> and <link>) loading JavaScript and CSS stylesheets hosted
Application Security LOW Weekly 45
Subresource Integrity with external organizations contain the 'integrity' directive with a valid checksum.
Unsolicited Commercial Email IP Reputation LOW Confirm with the reporting denylist if emails are not UCE. Varies* 1
Review the business need of exposing UPnP-enabled devices. Hide them behind a firewall, or make them
UPnP Accessible Network Security HIGH Weekly 45
accessible only on an intranet.
Reset the password for the compromised account. If the username is no longer active, ensure that no other
User-agent string exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Reset the password for the compromised account. If the username is no longer active, ensure that no other
Username exposed Information Leak INFO Varies* 15
services link to the affected email address, such as cloud-based applications that your organization uses.
Exposing remote access services to the Internet is not recommended. Consider placing the service behind a VPN,
VNC Service Observed Network Security MEDIUM preventing public access. If making the service private is not possible, restrict the service by allowlisting the IP Weekly 45
addresses that require access.
Monitor CVE lists and vulnerability repositories for exploit code that may affect your infrastructure. Subscribe to
the NVD RSS feed, or other feeds to be alerted to new exploits and vulnerabilities as they are released. Maintain a
Vulnerabilities observed Patching Cadence INFO Weekly 45
regular updating schedule for all software and hardware in use within your enterprise, ensuring that all the latest
patches are implemented as they are released.
Update or patch affected software and hardware. Enable automatic updates if they are available from your software
vendor and permitted in your environment. Monitor CVE lists and vulnerability repositories for exploit code that may
Vulnerability observed in most
Patching Cadence MEDIUM affect your infrastructure. Subscribe to the Bugtraq mailing list to be alerted to new exploits and vulnerabilities as they Weekly 45
recent scan
are released. Maintain a regular update schedule for all software and hardware in use within your organization, ensuring
that all the latest patches are applied soon after they are released.

Vulnerable Log4j version Update Log4j to 2.17.1 or a later version immediately. This version only runs on Java 8, so make sure to
Application Security INFO Varies* 15
detected update Java if you are using an earlier version.

Apply VMWare's update to any unpatched servers as soon as possible. Otherwise, deactivate OpenSLP services or
Vulnerable VMWare limit access to a list of trusted IP addresses. Maintain up-to-date backups of data that threat actors may target for
Application Security HIGH Weekly 45
ESXi Server Detected encryption. Only expose services to the wider internet when necessary. Consistently monitor network traffic for any
unexpected behavior.

17 | A Deep Dive in Scoring Methodology

Issue Type Factor Severity Recommendation Frequency Age Out
Companies should consider implementing a web application firewall that can protect against common
Web Application Firewall
Application Security POSITIVE web vulnerabilities, such as SQL Injection and cross-site scripting (XSS). Many hosting providers offer WAF Weekly 45
(WAF) Detected
capabilities as well.
Upgrade Spring Core to versions 5.3.18 or 5.2.20 and Spring Boot 2.6.6, depending on the variant. If not
Web application potentially
Application Security LOW possible, apply appropriate configuration changes or follow downgrading instructions from Spring at Weekly 45
vulnerable to Spring4Shell
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds.
Website communicates with Protect this website with common application security controls, such as a valid TLS certificate and
Application Security HIGH Weekly 15
payment provider secure cookies.
Website copyright is current Application Security INFO Continue updating the website’s copyright each year. Weekly 15
Website Copyright is Review all of your site content and code regularly to ensure that copyrights, code, and other content remain up to
Application Security HIGH Weekly 15
Not Current date.
Investigate how threat actors were able to access the web server. Based on your findings, install controls to prevent similar
Website defaced Application Security INFO Weekly 15
events in the future. Be especially cautious about file uploads to your site or prevent them altogether.
Every web application (and any URLs traversed to arrive at the website via redirects) should set the HSTS
Website Does Not Implement
Application Security LOW header to remain in effect for at least 12 months (31536000 seconds). It is also recommended to set the Weekly 45
HSTS Best Practices
'includeSubDomains' directive so that request
Website does not implement
X-Content-Type-Options Application Security LOW Add the following header to responses from this website: 'X-Content-Type-Options: nosniff' Weekly 45
Best Practices
Website does not
implement X-XSS-Protection Application Security INFO Add the following header to responses from this website: 'X-XSS-Protection: 1; mode=block' Weekly 45
Best Practices
Consult with GoDaddy to find out if your website has been impacted by the breach. Have users in
Website Hosted by
Application Security INFO your organization change their website login credentials. Train your organization to recognize and report Weekly 15
GoDaddy’s Wordpress
phishing emails.
Website Hosted on
Application Security LOW Ensure that the usage of external services, such as Amazon S3, conforms to company policies. Weekly 45
Object Storage
Website References
Application Security HIGH Ensure that the usage of external services, such as Amazon S3, conforms to company policies. Weekly 45
Object Storage
Consult with GoDaddy to find out if your website has been impacted by the breach. Have users in your
Website Uses GoDaddy
Network Security INFO organization change their website administration login credentials. Train your organization to recognize and report Weekly 45
TLS Certificates
phishing emails.
Websocket requests contain
Application Security HIGH Remove sensitive information from websocket requests. Weekly 15
sensitive fields or PII

*There is no regular scanning frequency for this issue type. We collect data from multiple sources when it is available.

18 | A Deep Dive in Scoring Methodology

Signal Processing Workflow
Generating meaningful cybersecurity ratings consists of four distinct processing stages:

Signal Collection, Attribution Engine, Cyber Analytics, and Scoring Engine.

Signal Collection Attribution Engine Cyber Analytics Score Engine

• IPv4 Scans • RIR, DNS, SSL data • Study emerging threats • Digital Footprint

• Malware Sinkholes • Domain discovery • CVEs • Size normalization

• DNS data • Subdomains • Machine Learning • Factor scores

• External data feeds • IP-domain pairing • Total score

19 | A Deep Dive in Scoring Methodology

 Signal Collection
SecurityScorecard scans the entire IPv4 webspace at
a regular cadence to identify vulnerable digital assets.
Additionally, SecurityScorecard monitors signals across
the internet, relying on a global network of sensors that
spans the Americas, Asia, and Europe. We operate one of
the world’s largest networks of sinkholes and honeypots
to capture malware signals and further enrich our data set
by leveraging commercial and open-source intelligence
sources. SecurityScorecard supplements its data collection
with external feeds from approximately 40 third-party public
and commercial data sources. SecurityScorecard ingests
approximately 1.5 Terabytes of data daily aspart of our
signal collections program
Attribution Engine
Most of the signals collected are associated with an IP or related
domain, which must then be matched with an organization,
based on its digital footprint.
Attribution of IPs is a challenging process due to the
dynamic nature of the internet. Netblocks of IPs can be
assigned dynamically by Internet Service Providers (ISP),
Cloud Service Providers (CSP), and Content Delivery
20 | A Deep Dive in Scoring Methodology
Networks (CDN). These can change by the day or even by
the hour. Furthermore, due to the distributed nature of the
internet, DNS updates can take time to propagate across
the web.
Fundamentally, attribution is a stochastic or probabilistic
process, rather than a deterministic one. This means that on
a practical basis, attribution can never be 100% accurate.
However, with good quality data sources and advanced
algorithms, the error rate can be held to a reasonably low level.
SecurityScorecard performs attribution using automated
processes operating at internet scale, incorporating machine
learning algorithms to optimize accuracy.
SecurityScorecard attributes IPs to domains using RIR, DNS,
SSL and other means as well as using third party data feeds.
As each data source has its own confidence level, the data
sources are aggregated for each candidate domain-IP pair and
the domain-IP pair is accepted if the overall confidence level is
satisfactory. The IP digital footprints are updated daily.
In addition to IP attribution, SecurityScorecard operates
a domain discovery process to find related domains and
subdomains that are controlled by each scored organization.
For each scorecard, SecurityScorecard utilizes the Domain WHOIS
service as well as passive DNS sources to generate a list of
related domains. The list is then processed using statistical
techniques and substring matching to retain only high confidence
related domains.
Based on pentesting by independent experts, the False
Positive Rate for incorrectly attributing a domain to an
organization is typically less than 5%.
We perform subdomain discovery using in-house systems
which use data from CommonCrawl, SSL certifications, as
well as several commercially available data feeds. Since
subdomains are resolved to DNS A records and are owned by
the parent domain, the effective False Positive rate is very low.
Based on an independent
assessment by security firm, the
False Positive Rate for domain
attribution was less than 1%.
 Cyber Analytics
SecurityScorecard deploys a suite of analytics developed by
its Threat Intel researchers, Data Scientists, and Software
Engineers to extract and derive key insights from the raw
input signals. Examples of key analytics, engineering and
data processing include:

• Reverse engineering of malware families to enable

identification of different malware strains and
characterization of their behavior and threat level.

• Identification of CVEs and other vulnerabilities based on

examination of digital assets returned from banner grabs
Scoring Methodology
as well as analysis of website code base, communication
protocols, and SSL certifications. A unique challenge in providing fair and accurate ratings for organizational
cybersecurity is properly accounting for the wide range of organizational
• Application of machine learning algorithms to improve the
sizes. Smaller entities, such as “MomAndPop.com” bearing a small digital
quality and accuracy of security findings and provide ke
footprint with just a single or a few IPs, will inevitably have fewer findings and
insights on security posture.
correspondingly fewer security flaws compared to large enterprises operating
over as many as hundreds of millions of IPs.
Scoring Engine
Conversely, larger entities will nearly always have more security defects than
Scoring is a deterministic process based on an organization’s
smaller entities and would receive worse security scores if no correction were
digital footprint and observed risk signals. SecurityScorecard’s
made for the size of the digital footprint.
scoring engine publishes and updates scores daily on more
than 12 million organizations around the world. Our scoring
methodology is described here.
Size Normalization
To eliminate bias due to size,
SecurityScorecard developed a principled
scoring methodology based on a robust,
statistical framework that ensures fair scores
regardless of organization size.
Many types of security issues scale
with the size of the organization. Larger
organizations typically have a larger “attack
surface” compared to smaller entities.
More employees mean more devices to be
Other common examples where a logarithmic
scale is used to compare measurements
spanning a wide dynamic range include
the following:
• Richter scale for measuring earthquakes
over more than 9 order of magnitude.
• Decibel scale for measuring sound amplitude
over 12 orders of magnitude.
• pH scale for measuring chemical acidity
over 14 orders of magnitude.
The large quantity of organizations scored
by SecurityScorecard — currently more than
12 million — helps ensure an accurate
characterization of the distribution of the
number of occurrences of each issue type
with organization size, resulting in more
accurate scoring.
The size normalization process enables
SecurityScorecard to provide score context
for its users. In the example shown on
misconfiguration of DNS services that can
be exploited by malicious actors to launch a
DDoS attack, potentially causing business
interruption and reputational harm. Based
on SecurityScorecard’s analysis of 12
million organizations, only 12% of entities
of comparable size have this security flaw.
Furthermore, among those similarly sized
companies that do have the same flaw, the
average number of such findings is 2, while

protected and more servers mean more
chances for an exposed port which should
properly sit behind a firewall. Some issue
types scale with the number of IPs. Others
might scale with the number of related
domains or number of employees.
As noted above, the digital footprint of
different organizations can vary from a single
IP to hundreds of millions of IPs. This range
spans more than eight orders of magnitude,
or more than eight multiples of ten. The best
way to make meaningful measurements
over such a large dynamic range is to use
a logarithmic scale, where each increment
corresponds to a multiple of 10.
the following page, the company has this company has 3 findings, which is worse
Size normalization begins with scatter plots to
3 instances of DNS Open Resolver, a than average.
capture how the number of occurrences of a
given issue varies with organization size.
For each organization and each security issue,
the number of occurrences of the issue type
is captured. The example shown is open
port 3389, which corresponds to Microsoft’s
Remote Desktop Protocol. A scatter plot
is generated in which every scored entity
represents a point on a log-log plot of the
logarithm of the number of issue counts (y-axis)
vs. the logarithm of the number of IPs (x-axis).
A typical scatter plot will contain millions of data
points, providing a large statistical “mass” for
better accuracy and stability.

22 | A Deep Dive in Scoring Methodology

 Calibration Process
SecurityScorecard generates a scatter plot similar This calibration process is carried out for every

Comparison to to the example on the previous page for every

scored issue type. A locally-weighted, nonparametric
scored issue type, using data collected over a
2-month time interval to smooth out statistical

similar companies fitting algorithm is then applied to characterize both

the mean (blue dashed curve) and the standard
fluctuations.

This process enables fair performance comparisons

deviation of the number of expected issue counts as
functions of organization size.
It is noteworthy that the dependence of issue counts
on organization size is non-linear (the dashed blue
line is curved). Simply assuming that the number of
issue counts scales linearly with size would introduce
serious errors, resulting in systematically distorted
and incorrect cybersecurity scores.
of organizations to others of similar size. In the
example scatter plot, an organization in the red
zone is at least 1 standard deviation worse than the
mean, while an organization in the green zone is at
least 1 standard deviation better than the mean. This
approach ensures that comparisons are always made
relative to other organizations of similar size.

Calculating Factor Scores

12% have this issue, 2 findings on average
just like this company The calibration process described above enables a SecurityScorecard uses a “modified z-score”, where
reliable and stable statistical estimate to be z = 0 if no findings are present, while z = 1 when the
3 findings for
88% do not have calculated for a given organization and security issue, number of findings equals the mean for entities with
this issue this company
corresponding to how many standard deviations the same size digital footprint. In this framework,
above or below the mean that organization is 0 ≤ z < 1 corresponds to better than average, while
situated for the particular security issue. In z > 1 corresponds to worse than average.
statistical parlance, this is known
as a “z-score”.

23 | A Deep Dive in Scoring Methodology

Calculating Raw Total Score Calculating Total Score

In version 3.0 of our scoring methodology, we no longer use a factor After calculating the raw total score, we scale it based on the expected
score to calculate the total score. We calculate the raw total score (RTS) value of issue finding counts. We want to fairly score an organization by
by adding up all the z-scores associated with issue findings multiplied comparing it to others with similar Digital Footprint sizes.
by their weights, or severity levels (low, medium, high, critical).
Informational and positive issues do not contribute to the score.
We use machine learning to calculate weights based on their
correlation to likelihood of breach: the greater the correlation, the
greater the severity level.

24 | A Deep Dive in Scoring Methodology

Breach Penalty
A data breach at an organization is external evidence that a security Total Scores Over Time

intrusion has occurred, reflecting increased risk. To reflect this risk, its
score is reduced by 10% upon disclosure of a breach. The negative score
impact of the penalty gradually diminishes to zero over a 30-day period.

The score history at right illustrates the impact of a data breach that
occurred in early June. The breach penalty reduced the score by 10
percent from 90 to 81. The penalty’s impact on the score diminished over
the next 30 days and then no longer affected the score in early July.

25 | A Deep Dive in Scoring Methodology

Keeping the Scoring
Framework Current
SecurityScorecard makes every effort to create and maintain
cybersecurity ratings that are meaningful, accurate, and relevant.
Since cyber threats are constantly evolving with the emergence of new
threats and development of new countermeasures and best practices
— much like an arms race — SecurityScorecard continuously monitors the
threat landscape and evaluates new data sources and new analytics to
better reflect cybersecurity risk.
26 | A Deep Dive in Scoring Methodology
Calibration Cadence
As part of this effort, SecurityScorecard recalibrates
its scoring algorithm on a regular monthly cadence.
Similarly, credit rating agencies, including FICO, S&P,
and Moody’s also recalibrate their scoring algorithms
periodically, albeit less frequently owing to the relative
stability of financial risk ratings criteria compared to
cybersecurity risk ratings.
Maintaining a regular scoring update cadence enables
SecurityScorecard to preserve fair cybersecurity risk
ratings in a dynamic threat environment and also to
introduce new issue types reflecting new risk metrics,
as needed, to keep users and their ecosystems better
informed.
Industry Comparisons
The calibration and scoring processes described above are applied
globally to all organizations on the platform. This approach ensures
a large statistical “mass” for reliably measuring and benchmarking
the security posture of more than 12 million organizations.
Industry Categories
Each scored organization is assigned an industry tag to facilitate
comparisons within and across industries. The total and factor scores of
individual companies may be easily benchmarked against others within the Construction Healthcare Pharmaceutical
same industry, either at a point in time or to examine trends over periods
Education Hospitality Retail
up to 12 months.
Energy Information Technology
Global calibration and scoring also enables comparisons of overall security
posture of different industry sectors, which is useful for cyber insurance Entertainment Services Telecommunications
underwriting and cyber risk assessment at sovereign and national levels.
Financial Services Legal Transportation
Food Manufacturing
Government Non-profit

27 | A Deep Dive in Scoring Methodology

 Collaboration with End Users
SecurityScorecard maintains a collaborative relationship with its users to improve
awareness of cyber risk and to report accurate findings.

Users are provided with a Score Planner tool on the platform which enables them to interactively
develop a remediation plan to improve their score. The tool proposes a path to better scores that
users may customize according to their preferences.

In addition, users may dispute findings on their scorecard, due, for example, to compensating
controls or attribution error, by submitting a refute online along with appropriate evidence.
SecurityScorecard reviews each submitted refute and associated supporting evidence and, if
warranted, corrects and updates the scorecard. A refute is accepted or denied within 48-hours
on average. If accepted, the scorecard is updated between 48-72 hours.

28 | A Deep Dive in Scoring Methodology

 Validation
SecurityScorecard’s scoring algorithm has successfully passed rigorous internal verification and
validation testing.
Verification testing is an engineering process to
determine whether the algorithm’s outputs conform
to the inputs. The algorithm is subjected to a
battery of statistical tests including edge cases to
verify its accuracy and stability.
Validation testing determines whether the
scoring algorithm satisfies its intended use as
a cybersecurity risk assessment tool, i.e. do poor
scores correlate with a higher likelihood of an
adverse event.
In the credit rating sector, lower ratings correlate
with a higher probability of default. For cybersecurity
ratings, lower ratings (lower scores) should correlate
with a higher likelihood of data breach.
29 | A Deep Dive in Scoring Methodology
SecurityScorecard analyzed the correlation
between score and breach likelihood, based on
available breach data. Statistical power is limited by
the amount of breach data that is publicly available.
The challenge is compounded by the fact that as
many as 60-89% of breaches go unreported, since
not all organizations are under regulatory obligation
to disclose data breaches.
Validation testing demonstrated that companies
with an F rating have a 13.8x greater likelihood
of incurring a data breach compared to
companies with an A.
 Limitations
While SecurityScorecard’s cyber risk ratings can provide substantial insights into the security postures of different
organizations and their trends over time, there are some inherent limitations:

• SecurityScorecard employs an “outside-in” approach, which enables
external assessment of the cybersecurity posture of organizations
non-intrusively, and at scale. However, it is generally not possible
to detect the presence of compensating controls internal to an
organization’s network. In such cases, SecurityScorecard will likely
report a score that is too low. However, users may correct their
own scores to reflect the presence of compensating controls by
submitting a refute together with supporting evidence. A refute is
accepted or denied within 48-hours on average. If accepted, the
scorecard is updated between 48-72 hours.
• The dynamic nature of the internet also imposes limitations. Dynamic
IPs can be reassigned daily or even hourly. Communication ports
can be opened and closed at different times. Changes in domain
and IP ownership can occur at any point, but take time to propagate
across the internet. The dynamic nature of the internet imposes a
fundamental limitation on the accuracy of any process seeking to
characterize its current state. Results of such efforts are necessarily
probabilistic rather than deterministic. For SecurityScorecard, this
means that while scores and attribution are substantially correct, they
will always be subject to some errors in the form of false positives
and false negatives. SecurityScorecard has developed a suite of
algorithms powered by machine learning to minimize these errors and
is continuously enhancing our system architecture to improve update
cadences to keep attribution and scoring as current as possible.

30 | A Deep Dive in Scoring Methodology

FAQ
Q: How often are scores updated?
A: Scores are updated and refreshed daily.
Q: How often do scoring algorithm changes occur?
A: Our scoring algorithm changes every three to four years.
Q: Why do scores fluctuate?
A: Scores fluctuate marginally from a regular scoring update cadence (once a
month). This enables SecurityScorecard to preserve fair cybersecurity risk ratings
in a dynamic threat environment and also to introduce new issue types reflecting
new risk metrics, as needed, to keep users and their ecosystems better informed.
Outside of scoring updates, scoring of an organization is a purely deterministic
process. It is a function of the digital footprint and the number of security issues
found. If these are unchanged, then the score will also be unchanged.
Q: Does SecurityScorecard normalize the score for organizational size?
A: Larger enterprises typically have a larger attack surface than smaller
companies. SecurityScorecard levels the playing field to deliver fair scores for
organizations of any size using a principled size normalization scheme.
31 | A Deep Dive in Scoring Methodology
Q: How often do scoring recalibrations occur and how do I know if they will Q: Are factor scores not used to calculate the overall score?
impact my score?
A: Factor scores represent the health of each of the factors based on the
A: Recalibrations occur once every quarter. If your score will be impacted by issue types tied to those factors. The overall score will be calculated by the
an upcoming recalibration, you will see a banner on the platform four weeks issue types weights, since factors themselves will not have any weights.
prior to the recalibration date to see the impact on the score changes along
with a link to our knowledge base article for more detail.
Q: How are factor scores calculated?
A: Factor scores are calculated based on the issue types that are part of
Q: I see an IP on my digital footprint that is not mine. How can I trust
those factors. Each issue type has a weight, based on their severity, which
your attribution?
contributes to the factor score.
A: SecurityScorecard performs IP attribution using automated processes
operating at scale, using public RIR, DNS, and SSL data as well as third party
data sources. Owing to the dynamic nature of the internet, in which IPs can Q: How much is the weight of each factor and how are factor weights
be reassigned to different organizations by the day or even by the hour, IP determined?
attribution has a fundamentally probabilistic character and cannot be error-
A: There are no longer factor weights with the new scoring algorithm, overall
free. A team of independent pentest experts audited a random sample of scores are a direct representation of issue types. The factors will continue to
SecurityScorecard scorecards to objectively determine the accuracy of have factor scores, but will not have factor weights.
SecurityScorecard IP and domain attribution. They found the attribution
process to have an accuracy of 95%. Accuracy was 94% for positively
attributing IP addresses, and 100% for DNS records.
About SecurityScorecard
Funded by world-class investors including Evolution Equity Partners, Silver Lake Waterman, Sequoia Capital, GV,
Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings with more than 12 million
companies continuously rated.

Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s
patented rating technology is used by over 30,000 organizations for enterprise risk management, third-party risk
management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. SecurityScorecard
is the first cybersecurity ratings company to offer digital forensics and incident response services, providing a 360-degree
approach to security prevention and response for its worldwide customer and partner base.

SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve
and communicate cybersecurity risk to their boards, employees and vendors. Every organization has the universal right
to their trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com
or connect with us on LinkedIn.

GET YOUR SCORE

Want to receive an email with your company’s current score, please visit instant.securityscorecard.com.

Get Started

United States: (800) 682-1707 SecurityScorecard.com

International: +1(646) 809-2166 [email protected]
©2024 SecurityScorecard Inc. All Rights Reserved.
32 | A Deep Dive in Scoring Methodology