Businesses rely on third party solutions to complement and deliver their products and services. From user hardware and software purchases to business operational and administrative services, capital and operational expenses include purchases - and reliance - of solutions that are not native to the business. In this blog I go over one type of service offering that can help influence a business's selection process - the public cyber security rating.

What is a Public Security Rating?

A public cyber security rating (PCSR) is an aggregated score that is assigned to a business based on weighted data points of a business's known public Internet Protocol (IP) footprint. The key word here is "public". This is important to remember because the score may not consider the internal security measures undertaken by the business which may be superior to their public-facing assets. This is not to infer that it should not be considered reflective, it just means that there may be additional factors that have not been weighed.

Who Conducts Public Cyber Security Ratings?

While there are a few companies who conduct PCSR's, I have had the opportunity to evaluate three: Bitsight, Security Scorecard, and UpGuard. Of the three, I have onboarded and administered Security Scorecard and UpGuard with the latter being the current active solution in my organization.

How are ratings calculated?

Each company has their own defined categories and scoring system with various collection objects that are considered when assigning an overall risk score. Below are some of the generalized categories that are reviewed during non-intrusive reviews:

• Website Security: considerations include secure (HTTPS) vs non-secure (HTTP) hosting, request and response messages, site certificates, hosting platform checks, and common vulnerability scoring system (CVSS) checks

• Network Security: considerations include associated public network mapped footprint (i.e., owned domains and registered IP addresses and ranges), and open/closed ports, domain name system (DNS) and DNS security extensions (DNSSEC) checks, patching cadence, and CVSS checks

• Brand & Reputation Risk: considerations include public performance records (e.g., disclosed breaches or security incidents), exposed credentials, darkweb chatter, employee behavior observations (e.g., use of peer-to-peer networks), and other public performance records

• Phishing & Malware Risk: observations of unsolicited communications, spam reports, and malware infections

• Email Security: how a company protects its email communications through SPF, DKIM, DMARC and brand indication message identification (BIMI) configurations

Why are Public Security Ratings Important?

Looking back at 2022 and 2023, a sizable portion of major breaches occurred on applications and services that are widely used by companies from user-facing applications like password management solutions (e.g., LastPass) and file transfer services (e.g., MOVEit) to enterprise solutions and services like Okta (secure identity cloud) and BillTrust (accounts receivable services). While these big names may have the resources to rapidly respond to and communicate these breaches, not all vendors have those same resources, may have an inferior performance record, and/or may have existing subpar performance indicators sitting on their public space.

Evaluating Vendors

Every business should have a third-party risk management (TPRM) program in place to manage organizational risks proactively and reactively. A component of the program should include a documented open-source intelligence (OSINT) risk assessment on prospective and current vendors with PCSR results as a weighted factor. Most businesses are unable to dedicate the personnel and resources required to perform continuous monitoring of these outsourced vendors - this is where a PCSR service complements your TPRM program. A PCSR service will conduct periodic snapshots of vendors public footprint with basic information on the vendor being reviewed including the PCSR with detailed information on findings and remediation recommendations, basic company information (e.g., industry, employee count, headquarters, etc.), and historical performance data. In addition, continuous monitoring relieves the burden placed on in-house resources by automatically alerting the business to changes in vendor profiles resulting from published breaches or observed security trends.

Self-Assessments and Competitive Advantages

Just as you can use a PCSR to make vendor decisions, others can use this PCSR service to evaluate your business. While this service should never replace a third-party assessment on your critical public assets, it does complement by providing a continuous monitoring solution to identify changes - positive or negative; intentional or unintentional - that occur between those [typically] yearly assessments. The alerts and notifications generated by the service can aid your team in promptly taking care of security concerns that can affect your public perception. Maintaining a high score in today's market where security is at the forefront when selecting vendors can be the difference in selecting your business over a competitor. Additional advantages may include:

• Reduction in cyber insurance premiums (some carriers look at PCSR's as "credit ratings")

• Compliance evidence

• Competitive metrics (i.e., how well you are performing over your competitors)

• Board of Directors assurance evidence

Public Cyber Security Rating Considerations

When reviewing your PCSR or evaluating others, it is important to note the following:

Email Communications

For some reason, businesses do not make the effort in protecting email communications through SPF, DKIM, and DMARC configurations - all of which have an impact on PCSR's and the "trustworthiness" of emails. Taking the time to "certify" your authorized sending sources increases your brand reputation while minimizing the chances of criminals spoofing your official email domain. This is even more important to businesses who send out mass email marketing campaigns as Google and Yahoo have announced their commitment to combatting mass email attacks by requiring bulk senders (e.g., over 5,000/day) to authenticate their email sending sources.

Public IP Footprint

Another challenge to consider is that PCSR services will mine ARIN registration and Domain Name Registrar data and attach findings/scores to businesses based upon the information contained including:

• Organizations that hold those resources

• Domain registration owners

• Points of Contact for resources or organizations

• Customer reassignment information from Internet Serice Providers to their downstream customers

As you may be aware, the information collected is not always accurate. For example, although our company split and severed ties with the parent company, 4 years later the parent IP space - which was underperforming - was still attached to our company, negatively affecting our independent rating. Another problem encountered was that our company name was contained within other registered IP blocks by companies with a similar name (e.g., "Fictional Company Inc." vs. "Fictional Company Communications"). Through no fault of our own, PCSR services were looking at "Fictional Company" and automatically tying both companies together impacting our PCSR. Think of your Public IP space as an extension of your intellectual property and protect it through periodic reviews and, where feasible, work with PCSR services to correct deficiencies.

Site Security Certificates

Although a less likely situation, this is a situation which is important to keep in mind. Site Security Certificates contain information that can be mined to determine ownership or association. After the split from the parent company, the parent company continued to use site certificates that contained our information within the certificate; again, negatively affecting our PCSR. Unfortunately, changing site security certificates may have cascading effects and close collaboration is imperative to resolving this situation.

Focusing on Applicable URL's

When reviewing a vendor's PCSR, you may want to consider focusing the review on those services that are being consumed by your business. For example, Workday offers several different products in finance, human relations, planning, and industry operations. If the business uses one product such as Workforce Mangement for HR purposes, the portal for that service may hold more weight to the business than their financial service offerings which are not being used.

Website Hosting

Using hosting services such as Wix or GoDaddy may be convenient as they offer packages to help get your internet presence up and running quickly. However, they may also reduce your ability to increase your security score because they limit your ability to manage website security controls. For example, the website you are currently viewing has a current overall PCSR of 740 (B) through UpGuard; please see the breakdown below:

• Website Security: 644 (B)

• Network Security: 908 (A)

• Brand & Reputation Risk: 950 (A)

• Email Security: 950 (A)

• Phishing & Malware: 950 (A)

Unfortunately, the findings negatively impacting the Website Security category are controlled by Wix and when working with their support team, their team responded with, "Please note that automated security scans often fail on Wix sites and may provide results that include supposed vulnerabilities because they do not consider the specifics of Wix's security infrastructure which is very complex, and involves many layers of unique solutions." Settings affecting content security policies, securing session cookies, server information header exposure, and others are controlled by Wix and while I do not discredit the effort put forward by Wix to secure their customers experience, Wix may not be the most suitable service to use if a high PCSR is of importance to the business.

Conclusion

According to a survey conducted by Panorays, only 13% of approximately 100 security executives stated they continuously monitor their third-party risk. That means that more often than not, once a vendor is selected, their security performance goes unchecked - until an incident or breach occurs. By using a PCSR service, you can be alerted to 3rd-party risks and work with your current vendors to mitigate or annotate risks to your business or use the service to determine which vendors to work with. Likewise, a business providing service offerings, it's important to monitor your own security score as an external attestation to current and potential customers, as well as insurance carriers, that your business takes cybersecurity seriously.