This article details the 7 areas of analysis performed on the 3 types of public assets of a company (IP address, URL and domain name).
Summary :
The algorithm of the Security Rating ® tool perform several test on 3 types of public assets of a company :
The tests performed on the assets are divided into 6 areas of analysis
Attack surface
Objective: detect entry points that could be exploited by an attacker to perform malicious actions.
Risks linked to a too large attack surface :
The main risk associated with a poor rating is the possibility of access to the organization's information assets, through sensitive services open on the Internet.
Performed tests :
The Security Rating® with the attack surface tests show weaknesses on the company's Internet perimeter. These are exposed attack points that can potentially be exploited by attackers to break into the client's IS via a vulnerability.
Technically, these tests focus on detecting the presence of risky services on external assets (dangerous protocols like telnet, exposure of sensitive services like database server ports). These tests are performed on public IP addresses accessible from the Internet. The tests look for open ports, exposing protocols on the Internet that put your organization at risk.
You earn points if you apply the recommendations for detected open ports.
You loose points if the number of opened ports (considered dangerous) increase.
Messaging
Objective: check if your organization is protected against potential identity theft.
Risks associated with poor messaging hardening :
The risks associated with poor email scoring are identity theft, phishing, interception and hijacking of email infrastructures.
Performed tests :
The Security Rating® verifies the presence of technical devices limiting these risks as well as Open Relay type services. The tests analyze the configuration and practices in place to ensure the confidentiality of exchanges.
Technically the tests are of the type :
- SMTP with Start TLS which allows the confidentiality of exchanges between mail servers.
- SPF and DMARC which allow to fight against identity theft (president fraud / fake RIB scam).
- Open Relay to ensure that the server does not allow spam to be relayed.
These tests are performed on the mail servers. They check if the DMARC standard is properly applied and if the SPF and DKIM protocols are properly configured.
You earn points if you follow the recommendations for DMARC, SPF and DKIM configuration.
You lose points if the SPF and DKIM protocols are not properly configured and if your SMTP server is configured as Open Relay.
Web TLS / SSL
Objective: verify that Internet exchanges meet the following security requirements: authentication, confidentiality and integrity.
Risks related to poorly hardened TLS / SSL web servers :
The risk associated with a bad TLS / SSL web rating is the lack of confidentiality of exchanges.
Performed tests :
The Security Rating® inspects the hardening aspects of web components and the quality of protection. The tests specifically analyze the configuration and best practices in place to secure communications, especially encryption.
Technically the tests will be related to :
- TLS/SSL configuration (negotiation with recent TLS implementations, refusal of obsolete protocols like SSL...)
- certificates
- security headers
- SSL vulnerabilities
These tests are performed on URLs that belong to your organization.
They check if the exchanges over the Internet meet the following security requirements: authentication, confidentiality and integrity.
You earn points if you follow the recommendations to properly configure a non-vulnerable TLS/SSL version.
You lose points if TLS/SSL is not configured, or if the version used is known to be vulnerable.
Security Control
Objective: check if the entries in the domain name configuration are secure via the DNS implementation.
Risks associated with poor performance of security controls :
The risk associated with a poor security check rating is falsifying domain name configuration (DNS) entries and having one's visitors redirected to a malicious site.
Performed tests :
The Security Rating® looks for protections against tampering with DNS configurations and the potential presence of major vulnerabilities (e.g., Log4j).
Technically, these tests aim to verify the DNS implementation and in particular DNSSEC. DNSSEC is a protocol standardized by the IETF to solve certain security problems related to the DNS protocol.
These tests are performed on the domain names that belong to your organization. They check if the DNSSEC protocol is properly configured.
You earn points if you follow the recommendations for properly configuring the DNSSEC protocol.
You lose points if DNSSEC is not configured.
Potential vulnerabilities
Objective: check your organization's URLs for vulnerabilities.
Risks related to the presence of potential vulnerabilities :
A poor rating shows a poor quality and frequency of patching. The risk is that the organization does not ensure a satisfactory level of security over time. An obsolete or not updated system is another form of entry point to the information system.
Performed tests :
Unlike a vulnerability scan (intrusive approach), the Security Rating® collects clues to deduce the likely components used. With this information, the solution deduces the existence of potential vulnerabilities on the evaluated perimeter.
Technically, these tests aim to identify known vulnerabilities from the identification of the types and versions of services recovered by the analysis performed and the vulnerability databases consolidated by the SOC Board of Cyber.
These tests are performed on URLs that belong to your organization. They check if the components present on a URL is known to have vulnerabilities.
You earn points if you fix the potential vulnerabilities related to the version of the technology that you use.
You lose points if the target remediation time for vulnerabilities is exceeded. The loss of points also depends on the level of severity of the vulnerabilities.
Update performance
Objectives: To measure the patching speed of vulnerabilities identified in the category of the same name.
A poor update performance rating indicates poor patching frequency. This poor patching frequency can be considered as an unsatisfactory level of security over time. An obsolete or non-updated level is another form of gateway to the information system.
The tool does not take into account patches on versions that do not modify version numbers. We therefore recommend that you upgrade your version so that the tool can take the correction into account.
Assessment principle :
The data in the potential vulnerabilities category is historised over time. A target remediation time is assigned to each criticality level. When a potential vulnerability is historically present for longer than the target remediation time, a penalty proportional to the time exceeded and to the criticality is applied.
When the potential vulnerability disappears, the penalty is progressively erased. The rate of erasure is inversely proportional to the time taken to exceed the initial target.
The category score is a weighted aggregation of all these calculations for the perimeter under consideration.
You gain points if you regularly update to upgrade versions.
You lose points if the time between each update is too long and if these updates do not allow you to upgrade versions.
Security incidents
Objective: Highlight and verify that security incidents are handled quickly
Risks related to the presence of security incidents :
A poor rating demonstrates the organization's inability to detect and handle potential security incidents with due diligence.
Incident types may include malicious activity, Malware Hosting, Phishing, Tor, Internet Scanning, Spamming, and IP Reputation.
Performed tests :
The Security Rating® tracks security incidents discovered on assets in the company's mapping.
Technically, for evidence of compromise, grouped in the "security events" category, we perform searches in our cyber threat intelligence databases of the Board of Cyber’s SOC / CSIRT and in our incident databases
You earn points if security incidents are corrected in a timely manner.
You lose points according to the severity of the incident detected and the remediation time.