- July 21, 2023: Added Web Application Security risk vector.
- April 19, 2023: Risk category and risk vector weight adjustments.
- October 20, 2021: Ratings Algorithm Update 2021.
⇤ Overview of Risk Categories and Risk Vectors
Rating Details
Diligence accounts for 70.5% of a company’s Bitsight Security Rating. Review how Diligence is calculated.
Overview
This risk category assesses the steps a company has taken to prevent attacks, their best practice implementation, and risk mitigation (e.g., server configurations) to determine if the security practices of an organization are on par with industry-wide best practices.
Learn more about Diligence.
Risk Vectors
Diligence findings are categorized among the following risk vectors:
| Risk Vector | Description |
|---|---|
| SPF Domains 1% |
Assesses the effectiveness of Sender Policy Framework (SPF) records, which are DNS records that identify mail servers permitted to send email on behalf of a domain. Properly configured SPF records ensure that only authorized hosts can send email on behalf of a company by providing receiving mail servers the information they need to reject mail sent by unauthorized hosts. |
| DKIM Records 1% |
Assesses the effectiveness of DomainKeys Identified Mail (DKIM) records, which is a countermeasure against adversaries that are attempting to send fake email by using a company’s email domain. Properly configured DKIM records can ensure that only authorized hosts can send email on behalf of a company. |
| TLS/SSL Certificates 10% |
Evaluates the strength and effectiveness of the cryptographic keys within TLS and SSL certificates, which are used to encrypt internet traffic. Certificates are responsible for verifying the authenticity of company servers to associates, clients, and guests, and also serves as the basis for establishing cryptographic trust. |
| TLS/SSL Configurations 15% |
Determines if the used security protocol libraries support strong encryption standards when making connections to other machines. TLS/SSL is a widely used method of securing communications over the Internet. |
| Open Ports 10% |
Observes ports that are exposed to the Internet, known as “open ports.” While certain ports must be open to support normal business functions and few companies will actually have no ports open, the fewer ports that are exposed to the Internet, the fewer openings there are for attack. |
| Web Application Headers 5% |
Analyzes security-related fields in the header section of communications between users and an application. They contain information about the messages, determine how to receive messages, and how recipients should respond to a message. |
| Patching Cadence 20% |
Evaluates systems that are affected by software vulnerabilities (holes or bugs in software, hardware, or encryption methods that can be used by attackers to gain unauthorized access to systems and their data) and how quickly any issues are fixed. |
| Insecure Systems 2.5% |
Assesses endpoints (which can be any computer, server, device, system, or appliance with internet access) that are communicating with an unintended destination. The software of these endpoints may be outdated, tampered, or misconfigured. A system is classified as “insecure” when these endpoints try to communicate with a web domain that doesn’t yet exist or isn’t registered to anyone. |
| Server Software 2% |
Helps track security problems introduced by server software that is no longer supported. Supported software versions receive attention from the software development team and vendor when bugs or vulnerabilities are discovered. |
| Desktop Software 3% |
The version information of laptop and desktop software are compared with the latest and currently available software versions to determine if the device software is supported or out-of-date. |
| Mobile Software 1% |
The version information of mobile device operating systems and browsers are compared with the latest and currently available software versions to determine if the device software is supported or out-of-date. |
| DNSSEC* | Determines if a company is using the DNSSEC protocol, which is a public key encryption that authenticates DNS servers, and then assesses the effectiveness of its configuration. The DNSSEC protocol protects against DNS spoofing, which involves diverting traffic to an attacker’s computer, creating an opportunity for loss of confidentiality, data theft, etc. |
| Mobile Application Security* | Analyzes the security aspects of an organization’s mobile application offerings that are publicly available in official marketplaces, such as the Apple App Store and Google Play. |
| Web Application Security* | Performs multiple assessments related to web application security. It provides information about components with known vulnerabilities, broken authentication and access control, sensitive data exposure, cross-site scripting prevention mechanisms, and security misconfigurations. |
| Domain Squatting** | Detects the presence of domains named similarly to those that are owned and trademarked by an organization. Detection for these types of domains is based on information provided by DNS queries. |
*This risk vector is currently in beta. Therefore, it does not affect Bitsight Security Ratings.
**This risk vector is informational and does not currently affect Bitsight Security Ratings.
Remediation
Search for Diligence findings from the Findings page.
Advisory remediation tips instructing how to resolve the issue are available to help improve the grade as it no longer negatively affects the overall risk vector grade. Some remediation tips are more detailed than others, depending on the complexity or prevalence of the issue.
WARN and BAD findings have remediation text as part of the finding details pop-up, along with the issues in question. If there are additional ways to improve on the finding that are in line with current industry best practices, remediation text is also available for some GOOD, FAIR, and NEUTRAL findings.