You are Home   »   News   »   View Article

SecurityScorecard - assessing cybersecurity from outside

Tuesday, September 8, 2020

SecurityScorecard, of New York City, provides a service to assess a company's cybersecurity without internal access to their computer systems, as a way for companies to assess their partners and suppliers.

SecurityScorecard, based in New York City, offers a cyber security assessment of any company in the world, based on externally available information (without internal access to any of the company's systems). The company says it is already used by 'an abundance of upstream oil and gas customers' (but they cannot be named).

It is easy to imagine why the service might be useful for oil and gas operators - to assess suppliers before giving them access to parts of the operator's systems, or to assess their risk. It would also be useful to insurance companies, before considering insuring a company against cyber risk. But the big question is, can it work?

If it can work, then cybersecurity ratings might be treated in a similar way to credit ratings. Everybody has a score.

Paul Gagliardi, head of threat intelligence and CISO at SecurityScorecard, says that one of the easiest ways to assess a company's cybersecurity from outside is from records of whether their externally facing website has ever been hacked.

SecurityScorecard has records of 30,000 website breaches since 1998.

From outside, you can scan the website for malware. You can also see how well the website is configured, for example if it is using the latest version of Wordpress.

Another source of information is when companies are obliged to report hacking - such as because they are stock listed, or under the EU's GDPR regulation. Some industry sectors are very active in reporting breaches, such as the US health sector which will often report issues such as a doctor losing a laptop with unencrypted patient data stored on it.

Another source is analysis of the 'end points' - the devices which employees use to access web pages.

One source of data is online advertising companies, which collect data about the browser customers are using, including the version of the browser software, or version of the operating system (both Windows and Android). SecurityScorecard partners with an advertising company, to access its data.

This data can be connected to the IP address of the person operating the device, although not the individual. But SecurityScorecard is using a variety of publicly available data to connect the IP address with the physical building, and the company which uses that account. Typically, a certain physical office for a company will be allocated an IP address, or a range of IP addresses, by its internet service provider, the company says. Connecting the IP address to the company name is a seriously heavy technical lift,' he says. 'We've invested a lot of resources in that'.

If the company is hosting the website itself, then it is possible to see how well patched the server is, or what version of software it is running.

SecurityScorecard also looks at how quickly software updates are implemented - what it calls the 'patching cadence'.

Other sources of information are 'hacker chatter' - if hackers are talking about a company being easy to penetrate.

If a company uses cloud-based systems, it may be possible from outside to determine what systems are being used, and if the company hosting them has a good security score itself.

Another assessment method is spear phishing, sending e-mails designed to trick the recipient into sharing usernames and passwords. These catch out companies which otherwise have very good technical defences. Security Scorecard does not do its own spear phishing tests, but it has found ways to buy domains used in spear phishing tests so it can see who is clicking on the e-mails.

Useful guidance

As well as helping assess clients and partners, the analysis service can help a client better understand its digital 'estate', including elements which are out of the control of the IT department.

Many companies do not have very good co-ordination internally about their cybersecurity, with different elements of it run by different people.

For example, a large company may work with an external provider for its HR, which has lower cybersecurity 'hygiene', but is a close partner with the large company.

Or a public facing website might be produced by a marketing department with no technical expertise, and the IT people, who know about cybersecurity, were not invited to get involved.

SecurityScorecard uses a castle and moat analogy to explain the service to customers. A large company has many partner companies and suppliers which need to sit within its security 'moat'. You have a way of making sure the entire moat can't be breached although you don't have direct control over it.

There have been reports of companies saying they will delist suppliers who get low scores - but since the service is just a guidance, not entirely fact based, it may be better to say, if a company gets a low score it should be subject to more levels of audit of its security, perhaps with IT security staff from the customer doing a physical inspection or phone interview, Mr Gagliardi says.

How it works

Companies are graded A, B, C, D or F. You can receive the score for your own company free by entering your company e-mail address on the SecurityScorecard website.

The score is only an estimate, but its accuracy should increase over time.

Of course there is no certainty that an 'A' rated company will never be breached, or that an 'F' rated company is very vulnerable to cyberattacks. But it does give an indication of the company's 'cyber hygiene', Mr. Gagliardi says. Typically, if a site is breached the company drops down a rating.

Looking at the whole data set, the company can estimate that certain clients are 4-6 times more likely to be breached than others and see that their estimation is true. 'We're always tuning that algorithm to make sure that breach likelihood is accurate,' he says.

The calculation algorithm is 'normalised' to take into consideration the fact that the bigger a company is, the more that can go wrong. And it is not fair to consider a hack by a highly skilled state as equivalent to hack by a teenager messing around.

But smaller companies might be expected to at least make their website hack-proof.

Hearing that they have a poor score is a strong motivator to companies to include how they manage cybersecurity, Mr Gagliardi says. It is something of a 'public embarrassment' which can push people to patch more often.

But some companies may be 'a bit combative,' the first time the IT manager sees their grade.

Any company has the opportunity to enter a discussion with SecurityScorecard about why they think their grade should be higher.

Oil and gas

Looking at the oil and gas sector, some large oil companies might have tens of thousands of vendors. They may want to receive an alert if any of their vendors have malware on their websites, or other signs of a badly managed cybersecurity, Mr Gagliardi says.

One oil and gas specific concern is the goal conflict between people who want to keep industrial control systems running at all costs, and the desire for cybersecurity, he says.

In traditional IT security, the three pillars of integrity, confidentiality and availability are given equal weighting, but in the operational control systems world, there's much more weighting to 'availability'.

So, companies often end up using very old versions of Windows and old routers. They don't update them because they are more concerned about keeping the system running, and possible patches causing software problems, than they are of getting a security breach.

But when they don't update the machines and keep them at ancient versions the 'attack surface is significantly increased,' he says.

Associated Companies
» SecurityScorecard
comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Clustering Considerations in the Machine Learning Workflow – Examples with Exploration Data
Philip Lesslar
from Precision DM


Latest Edition Jun-Jul 2020
Jun 2020

Download latest and back issues


Learn more about supporting Digital Energy Journal