Guest Network Exclusion

Guest networks can frequently generate security events due to their open and dynamic nature. Many organizations manage this risk by strictly segmenting guest networks from the organization’s networks. To better reflect controls like these, the impact of guest networks can be removed from the rating with no loss of attack surface visibility. The exclusion lasts for a renewable 1-year period.

Excluded guest networks show vulnerability and findings, but they are excluded from the rating.

• Keep attack surface visibility into guest networks without impacting your rating and ensure a secure and reliable network environment.
• Continue to identify potential threats in guest networks.
• Remediate and mitigate any issues and threats arising from guest networks.
• Reduce the risk from a relatively uncontrolled guest network.

Identifying Guest Networks

• Ratings Tree: Any entity with a Guest Network Exclusion is indicated (with the node expanded) with a Yes in the Guest Network Exclusion field.
• Findings Table: Identify findings in the Findings Table related to excluded guest networks by using the Impacts Risk Vector Grade filter with No: Guest Network Exclusion selected.

Self-Attesting Guest Networks for Exclusion

To self-attest IP addresses that serve as exit points for guest networks:

How to remove guest networks

1. Enter the IP addresses into the attestation form (you must be signed in to access this file).
2. Have the form signed by a C-level official or Director of IT or similar role.
3. Send the form to Bitsight Support.

Validation

There is a validation process to ensure that the observed events on these IP addresses align with typical guest network behavior. Validation occurs on a case by case basis and considers feedback and additional context.

Criteria:

• There haven't been any open port events in the past 6 months.
• There are no signs of domain hosting in the past 6 months.
• The exclusion is a /24 CIDR block or smaller.