There could be insufficient data when grading risk vectors. A default risk vector grade is assigned. The threshold varies by risk vector.
Insufficient data could be due to any of the following reasons:
- There are no findings or there’s a low number of findings.
- For Desktop Software and Mobile Software, the estimated number of users falls below a minimum threshold.
- For Mobile Application Security, the organization has not published any mobile applications (no assets).
- We are temporarily unable to collect data.
❖ For select risk vectors, the most recent grade is assigned for up to 400 days before being assigned the default grade.
Default Grades by Risk Vector
Risk Vector | Behavior |
---|---|
SPF Domains |
Having SPF records for all domains (including SMTP servers and those that aren’t configured to send email) is best practice. If a company does not intend to send email from a domain, an attacker can still use that domain to spoof email. Only domains that are sending email and don’t have SPF records are affected. |
DKIM Records |
Without DKIM records, we cannot verify that a company is effectively preventing email from being spoofed from its domains. This is set in the center of the grading scale for computing into security ratings. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. |
TLS/SSL Certificates |
This is set in the center of the grading scale for computing into Bitsight Security Ratings. Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. |
TLS/SSL Configurations |
This is set in the center of the grading scale for computing into Bitsight Security Ratings. Some findings cannot be traced back to specific companies due to the use of third party systems, such as web filters and Content Delivery Networks (CDN) that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data. |
Open Ports |
Companies are not required to run open port services. The rating is positively impacted if there are no findings for this risk vector. |
Web Application Headers |
Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings. |
Patching Cadence |
The rating is positively impacted if there are no findings for this risk vector within its lifetime. |
Insecure Systems |
The rating is positively impacted if there are no findings for this risk vector. |
Server Software |
The use of server software is not required to improve an organization’s cyber security posture. Therefore, there’s no penalty or negative impact to the rating in the absence of Server Software findings. |
Desktop Software |
This default grade does not have a negative impact on the rating. It is equivalent to a perfect grade. Either:
|
Mobile Software |
This default grade does not have a negative impact on the rating. It is equivalent to a perfect grade. Either:
|
DNSSEC |
No ratings impact. This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into Bitsight Security Ratings. |
Mobile Application Security |
Not all organizations have mobile application offerings. This default grade is assigned if the organization has not published any mobile applications (no assets). |
Web Application Security |
Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. |
DMARC |
DMARC is a temporarily non-graded risk vector. |
Domain Squatting |
This is an informational risk vector. It does not currently affect security ratings. |
File Sharing |
The rating is positively impacted if there are no File Sharing findings. |
Exposed Credentials | Default: Not applicable. |
Security Incidents |
The absence of ratings-impacting Security Incidents do not positively affect security ratings, but its presence has a negative impact. This default grade is designed to neutralize any positive or negative impact to the risk vector. |
- April 30, 2024: Incorporated DMARC.
- March 20, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.