There could be insufficient data when grading risk vectors. A default risk vector grade is assigned. The threshold varies by risk vector.
Insufficient data could be due to any of the following reasons:
- There are no findings or the findings have no impact on the score.
Neutral findings do not impact the score. If only Neutral findings are detected, a default letter grade is assigned.
- For Desktop Software and Mobile Software, the estimated number of users falls below a minimum threshold.
- For Mobile Application Security, the organization has not published any mobile applications (no assets).
- We are temporarily unable to collect data.
❖ For select risk vectors, the most recent grade is assigned for up to 400 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned once the latest finding’s lifetime is over.
- Example 1 - a company’s current DKIM grade is a D, with a single finding. Once the finding’s lifetime of 60 days is over, the DKIM grade will become a C until new data changes the grade.
- Example 2 - a company’s current DKIM grade is a B, with a single finding. Once the finding’s lifetime of 60 days is over, the latest DKIM grade of B will be held for up to 400 additional days until the grade reverts to the default C.
Default Grades by Risk Vector
Risk Vector | Behavior |
---|---|
SPF Domains |
Having SPF records for all domains (including SMTP servers and those that aren’t configured to send email) is best practice. If a company does not intend to send email from a domain, an attacker can still use that domain to spoof email. Only domains that are sending email and don’t have SPF records are affected. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. |
DKIM Records |
Without DKIM records, we cannot verify that a company is effectively preventing email from being spoofed from its domains. This is set in the center of the grading scale for computing into security ratings. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned. |
TLS/SSL Certificates |
This is set in the center of the grading scale for computing into Bitsight Security Ratings. Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned. |
TLS/SSL Configurations |
This is set in the center of the grading scale for computing into Bitsight Security Ratings. Some findings cannot be traced back to specific companies due to the use of third party systems, such as web filters and Content Delivery Networks (CDN) that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned. |
Open Ports |
Companies are not required to run open port services. The rating is positively impacted if there are no findings for this risk vector. |
Web Application Headers |
Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned. |
Patching Cadence |
The rating is positively impacted if there are no findings for this risk vector within its lifetime. |
Insecure Systems |
The rating is positively impacted if there are no findings for this risk vector. |
Server Software |
The use of server software is not required to improve an organization’s cyber security posture. Therefore, there’s no penalty or negative impact to the rating in the absence of Server Software findings. |
Desktop Software |
This default grade does not have a negative impact on the rating. It is equivalent to a perfect grade. Either:
|
Mobile Software |
This default grade does not have a negative impact on the rating. It is equivalent to a perfect grade. Either:
|
DNSSEC |
No ratings impact. This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into Bitsight Security Ratings. |
Mobile Application Security |
Not all organizations have mobile application offerings. This default grade is assigned if the organization has not published any mobile applications (no assets). |
Web Application Security |
Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. |
DMARC |
DMARC is a temporarily non-graded risk vector. |
Domain Squatting |
This is an informational risk vector. It does not currently affect security ratings. |
File Sharing |
The rating is positively impacted if there are no File Sharing findings. |
Exposed Credentials | Default: Not applicable. |
Security Incidents |
The absence of ratings-impacting Security Incidents do not positively affect security ratings, but its presence has a negative impact. This default grade is designed to neutralize any positive or negative impact to the risk vector. |
- November 22, 2024: Default grading behavior updated.
- April 30, 2024: Incorporated DMARC.
- March 20, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.