- April 19, 2023: 2023 RAU weight adjustment.
- October 22, 2021: Published.
There are four primary risk categories: Compromised Systems, Diligence, User Behavior, and Public Disclosures.
The Compromised Systems risk category accounts for 27% of a company’s Bitsight Security Rating.
This risk category indicates the presence of malware or unwanted software, which is evidence of security controls failing to prevent malicious or unwanted software from running within an organization.
A compromised system can lead to a disruption in daily business operations and can increase the risk of data breach.
Separate instances of malware communications, even if it is from the same machine, constitutes a single observation.
Compromised Systems Risk Vectors
We collect information about a wide range of security events. These events are categorized among the following risk vectors:
Service provider companies might be hosting some of their customer's infrastructure on their networks. As a result, some Compromised Systems events observed on service provider networks can be due to their customer’s activity.
- Service providers are identified with a “Service Provider” label in their company overview page.
- Compromised Systems findings that belong to an organization's service provider(s) are marked with a (†) Dagger icon.
At a high level, IP addresses can be used to locate the source of infections. If an organization has a small number of IP addresses, the timestamp activity can be cross-checked with router logs.
For larger organizations or those behind several layers of network routing, the Forensics package provides additional levels of information about Compromised Systems that response teams can use to better pinpoint sources of infections and compromise, such as source ports and destination ports. The Forensics add-on also provides a powerful set of record filters for finding compromised systems.
- Conduct a thorough security review of the machine (malware & antivirus sweep).
- Review services used on the machine and harden firewall rules.
- Improve employee computer safety training (phishing, installing unapproved software).
Diligence accounts for 70.5% of a company’s Bitsight Security Rating.
This risk category assesses the steps a company has taken to prevent attacks, their best practice implementation, and risk mitigation (e.g., server configurations) to determine if the security practices of an organization are on par with industry-wide best practices.
Diligence Risk Vectors
Diligence findings are categorized among the following risk vectors:
- SPF Domains
- DKIM Records
- TLS/SSL Certificates
- TLS/SSL Configurations
- Open Ports
- Web Application Headers
- Patching Cadence
- Insecure Systems
- Server Software
- Desktop Software
- Mobile Software
- DNSSEC Records
- Mobile Application Security
- Domain Squatting
Search for Diligence findings from the Findings page.
Advisory remediation tips instructing how to resolve the issue are available to help improve the grade as it no longer negatively affects the overall risk vector grade. Some remediation tips are more detailed than others, depending on the complexity or prevalence of the issue.
WARN and BAD findings have remediation text as part of the finding details pop-up, along with the issues in question. If there are additional ways to improve on the findings that are in line with current industry best practices, remediation text is also available for some GOOD, FAIR, and NEUTRAL findings.
The User Behavior risk category assesses employee activity, such as file sharing and password re-use. These types of activities can introduce malware to an organization or result in a data breach. It accounts for 2.5% of a company’s Bitsight Security Rating.
User Behavior records that are older than 60 days no longer affect a company’s grade. User Behavior records are updated daily.
User Behavior Risk Vectors
The Public Disclosures risk category provides information related to possible incidents of undesirable access to a company’s data, including breaches, general security incidents, and other disclosures. Information is collected from verifiable news sources, both domestic and international, and by filing Freedom of Information Act (FOIA) requests.
Though these events do not necessarily result in data loss, the interruptions to business continuity are relevant and can be used to improve security preparedness.
- Public Discovery
- The earliest date when information pertaining to the security incident became publicly available either via news sources or filing with regulatory bodies, when an incident was self-discovered & the date of discovery publicly available, or the date when affected parties were notified. When major headline news of unauthorized access is disclosed, we add it to our system within the same week. Note that having knowledge of the actual date of the incident is rare, even to the affected company.
- Effective Date
- The date when a Security Incident event was recorded in the Bitsight platform.