Risk Categories and Sub-Categories

Categories & Subcategories

Metrics are grouped into subcategories which are in turn grouped into a parent category. The scores at both the category and sub-category levels are derived directly from the component metrics.

Threat Indicators:


Threat indicators are active observations of malicious or suspicious activity on an organization's digital footprint. Assets flagged are worthy of immediate attention to investigate and remediate.

The following subcategories group the metrics that measure the incidence of issues found.


IP Reputation:


The IP Reputation related to the management of an organization's IP space is a reflection of an active threat indicator. IP Reputation is a view of how external monitoring organisations view your IP addresses based on their observed behaviour of hosts on those IP addresses. 


This information is aggregated into the Firehol IPlists data feed and RiskIQ matches those list hits against an organisation’s IP Blocks. 


Other organisations use the same feeds to power the blacklists in their firewalls resulting in those hosts being blocked. By investigating hosts which are suspect, remediating them then negotiating with the blacklist providers to remove the IP from their list you can reduce business impact to your organization.


Read more about Firehol aggregated blacklists here: http://iplists.firehol.org


Malware 


RiskIQ  crawls your Enterprise Assets on a regular basis inspecting individual links and webpages. As part of the inspection process the artifacts are screened for the presence of malware. Artifacts identified are flagged on the RiskIQ Malware List. 3rd party lists such as Google Safe Block and Virus Total are also incorporated into the analysis


Websites in the organization that have been listed on security blacklists for hosting malware should be reviewed by the organization's Incident Response team. They can be indicators of compromise from a security attack. An actual malware infection can affect web traffic by causing browsers and ad networks to block user traffic to the web host. 


It can take 7-10 days to clean up the website's reputation due to blacklisting with major anti-virus vendors and safe browsing lists. During this time both traffic and ads can be blocked with a permanent impact on the website's SEO ranking. For high profile incidents, there can be a lasting impact on the brand.


Phish

RiskIQ crawls your Enterprise Assets every 3 days. As part of the inspection process the webpages are screened for the presence of Phish. Any suspect webpages identified are flagged on the RiskIQ Phish List. 3rd party lists such as Google Safe Browsing and Virus Total are also incorporated into the analysis.


Websites in the organization that are being used for phishing attacks should be reviewed by the organization's Incident Response team. They can be indicators of compromise from a security attack. Phishers may exploit your website simply as a free host in order to bypass security filters. They can have an even more serious impact if the web site is used to impersonate the organization's brand in a phishing attack on their customers. A phishing attack can affect web traffic by causing browsers and ad networks to block user traffic to the website. 


It can take 7-10 days to clean up the website's reputation due to blacklisting with major anti-virus vendors and safe browsing lists. During this time both traffic and ads can be blocked with a permanent impact on the website's SEO ranking. For high profile incidents, there can be a lasting impact on the brand.


Security Posture


Security Posture is a measurement of the maturity and complexity of an organization's security program based on the analysis of external facing assets that comprise their Digital Footprint. 


It is comprised of technical and non-technical policies, processes, and controls that mitigate risks of external threats on their Digital Attack Surface.


The following subcategories group the metrics that measure the incidence of issues found.


Website CVE Exposure

The security posture related to the management of an organization's website portfolio is determined through the analysis of a website’s components such as frameworks, server software, 3rd party plugins and matching them against known Common Vulnerability Exposures that are updated daily. 


RiskIQ identifies these potential avenues for compromise for further investigation with vulnerability assessment tools.


The websites are inspected daily for web-component analysis. Only active websites and web-components with version numbers contribute to a Risk Score. 


Website Security Policies

The security posture related to the management of an organization's website portfolio is determined through the analysis of a website's configuration and implementation of best practice in securing customer data. 

Configuration policies are tested by checking HTTP Header responses against the OWASP Security Headers Project. 


Data security is tested by checking for Insecure Login forms.


Read more about Security Policies here: https://info.riskiq.net/help/website-asset-security-policies


The websites themselves are inspected daily for security policy violations and only active websites contribute to a Risk Score. 


Open Ports

The security posture related to the management of an organization's IP space is determined through observations of active open ports found in the IP space of an organization's digital footprint. Attackers commonly scan ports across the internet to look for known exploits related to known service vulnerabilities or misconfigurations. RiskIQ identifies these ports as a compliment to vulnerability assessment tools so flagged observations can be reviewed by the organization's information technology team to ensure they are under management and restricted from direct access to the open internet.


RiskIQ undertakes basic TCP SYN/ACK mass scanning of Open Ports on all addresses in the IPv4 space. Our infrastructure scans 114 ports on a weekly basis. RiskIQ matches those IPs with an observed Open Port against an organisation’s IP Blocks. For further info on Open Ports refer to the article below: https://info.riskiq.net/help/open-ports-in-inventory

Domains Configuration

An organization's security posture related to the configuration of domain names is seen through the measurement of external observations of policies, procedures, and controls related to the organization's domain portfolio.
 
Extensible Provisioning Protocol (EPP) domain status codes, also called domain name status codes, indicate the status of a domain name registration. Every domain has at least one status code, but they can also have more than one.

Read more about EPP here: https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en


Domains Administration

A measure by who and where domains for an organization are managed. A decentralized domain portfolio management program may lead to unnecessary threats, including, but not limited to domain hijacking, domain shadowing, email spoofing, phishing, and illegally transferred domains.


Currently this is an informational metric only and does not contribute to the Risk Score.


SSL Configuration


The security posture for configuration of an organization’s SSL Certificate portfolio determines both customer experience and risk of data compromise. In most modern browsers, websites with an expired SSL certification or outdated encryption will be blocked with a warning message to the user, impacting web traffic and brand trust. Users who proceed can have their communications with the website intercepted by a Man in the Middle Attack (MITM). 


SSL Certifications that use outdated encryption can be easily hacked. Wildcard and self-signed certificates can be leveraged by rogue actors to make rogue hosts appear to be trusted.


SSL Organization

A measure by who and where SSL Certificates for an organization are managed.An organization's security posture for SSL/TLS Certificates is a critical component of security for web-based communication. Decentralized or complex management of SSL certificates heightens the risk of SSL certificates expiring, use of weak ciphers, and potential exposure to fraudulent SSL registrations.


Currently this is an informational metric only and does not contribute to the Risk Score.


Hosting & Networking

The security posture related to where an organization’s hosts are located. Risk associated with ownership of Autonomous systems depends on the size, maturity of an organization's IT department.

Currently this is an informational metric only and does not contribute to the Risk Score.