- April 19, 2023: 2023 RAU weight adjustment.
- October 20, 2021: Ratings Algorithm Update 2021.
- August 20, 2021: Added link to the Ratings Algorithm Update 2021 overview and Release Preview.
⇤ Overview of Risk Categories and Risk Vectors
Rating Details
The Compromised Systems risk category accounts for 27% of a company’s Bitsight Security Rating. Review how Compromised Systems is calculated.
Overview
This risk category indicates the presence of malware or unwanted software, which is evidence of security controls failing to prevent malicious or unwanted software from running within an organization.
A compromised system can lead to a disruption in daily business operations and can increase the risk of data breach.
Separate instances of malware communications, even if it is from the same machine, constitutes a single observation.
Service Providers
Service provider companies might be hosting some of their customer’s infrastructure on their networks. As a result, some Compromised Systems events observed on service provider networks can be due to their customer’s activity.
- Service providers are identified with a “Service Provider” label in their company overview page.
- Compromised Systems findings that belong to an organization’s service provider(s) are marked with a (†) Dagger icon.
Learn more about Shared Responsibility with Cloud Service Providers.
Risk Vectors
We collect information about a wide range of security events. These events are categorized among the following risk vectors:
| Risk Vector | Description |
|---|---|
| Botnet Infections | This risk vector indicates that devices on a company’s network are participating in a botnet (combination of “robot” and “network”), either as bots or as a command and control (C&C or C2) server. |
| Spam Propagation | This risk vector is composed of spambots, where a device on a company’s network is unsolicitedly sending commercial or bulk email (spam). If spam originates from email addresses or devices within a company’s network, this is an indication of an infection. |
| Malware Servers | This risk vector is an indication that a system is engaging in malicious activity, such as phishing, fraud, or scams. A company’s network is hosting malware that is meant to lure visitors to a website or send a file that injects malicious code or viruses. |
| Unsolicited Communications | This risk vector indicates a host is trying to contact a service on another host. It might be attempting to communicate with a server that is not providing or advertising any useful services, the attempt may be unexpected, or the service is unsupported. This also accounts for hosts that might be scanning darknets. |
| Potentially Exploited | This risk vector indicates that a device on a company’s network is running a potentially unwanted program (PUP) or potentially unwanted application (PUA). |
Learn more about the various Compromised Systems risk vectors.
Remediation
At a high level, IP addresses can be used to locate the source of infections. If an organization has a small number of IP addresses, the timestamp activity can be cross-checked with router logs.
For larger organizations or those behind several layers of network routing, the Forensics package provides additional levels of information about Compromised Systems that response teams can use to better pinpoint sources of infections and compromise, such as source ports and destination ports. The Forensics add-on also provides a powerful set of record filters for finding compromised systems.
- Conduct a thorough security review of the machine (malware & antivirus sweep).
- Review services used on the machine and harden firewall rules.
- Improve employee computer safety training (phishing, installing unapproved software).