SecurityScorecard glossary

In this article:

We continuously update this glossary. If you do not see a term you are looking for, submit a Support request to have it added.

A — F

Application Security

A scoring factor that concerns detection of common website application vulnerabilities. It has a Medium weight.

claimed Scorecard

A Scorecard for an organization with at least one active SecurityScorecard platform account. 

asset

An IP address or domain that is part of a Digital Footprint.

breach

Any incident where parties gain unauthorized access to computer data, applications, networks, or devices. The parties could be intruding threat actors who bypass or penetrate security mechanisms from the internet, or they could be organization insiders who abuse their privileged access to data and resources.

Common Vulnerabilities and Exposures (CVE)

A reference system for publicly known information-security vulnerabilities and exposures, each of which has an ID that begins with a CVE- prefix. Learn more.

Common Vulnerability Scoring System (CVSS)

A free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score maps to one of four severity levels (low, medium, high, and critical) to help with vulnerability assessment and prioritization. Learn more.

compensating control

A mechanism or action that satisfies the requirement for a security measure that is deemed too difficult or impractical to implement. To resolve a finding in your Scorecard, you can cite a compensating control. For example, the issue type Outdated Operating System Observed may have two possible compensating controls:

• The detected operating systems are in a guest wireless network that is fully segmented from production infrastructure.
• Your organization has purchased an extended support contract for Windows 7 from Microsoft.

Cubit Score

A scoring factor that measures a variety of security issues and best practices, as with the following issue types:

• Ransomware-Susceptible Remote Access Services Exposed

• Exposed Subdomain

This factor has a Medium weight. 

Custom Scorecard

A Scorecard that you can derive from a primary Scorecard to assess a specific segment or cross-section of an organization. You use search filters to isolate the assets that interest you. Once created, a custom Scorecard evolves through its own update cycle. Although it is derived from a primary Scorecard, it is no longer affected by that Scorecard’s changes. 

decayed finding

An unresolved finding that no longer impacts a score because it has been on a Scorecard for a certain period of time, depending on the issue type. SecurityScorecard considers a finding decayed when: 

• Remediation evidence is not visible from an internet view. For example, the issue may have been remediated behind a gateway. 
• There has been no observed activity for a time period specific to the finding.

DNS Health

A scoring factor that concerns detection of insecure configurations, vulnerabilities, or malicious events in the passive domain name system (DNS) history in a network domain. It has a Medium weight.

Digital Footprint

A visualization of all the assets that SecurityScorecard attributes to a Scorecard. Interlinked domains and IP addresses comprise the high-level organization of a Digital Footprint, and you can filter the data according to various criteria, such as issue types. 

Endpoint Security

A scoring factor that concerns detection of unprotected endpoints or entry points of user tools, such as desktops, laptops, mobile devices, and virtual desktops. It has a High weight.

factor

One of 10 categories of cyber-risk and protection that SecurityScorecard uses to assess and score an organization’s security resilience. Every issue type that appears on a Scorecard is grouped within one of these factor categories. Each factor has a numerical weight that reflects the severity or risk that the factor contributes to the overall cybersecurity posture. A Scorecard’s overall score is calculated as the weighted average of the factor scores.

See factor definitions:

• Application Security
• Cubit Score
• DNS Health
• Endpoint Security
• Hacker Chatter
• IP Reputation
• Information Leak
• Network Security
• Patching Cadence
• Social Engineering

finding

A measurement that consists of an asset from a Digital Footprint, a timestamp of the most recent observation, and information that pertains to a specific issue type. If the issue impacts your score, you can remediate the finding to improve your score. When you click an issue type on your Scorecard to learn more about it, you can review each finding for context to help you remediate it. A finding no longer impacts your score after you resolve it, or when it decays.

G — M

Group

A collection of portfolios that you can organize to assess the cybersecurity of many organizations from a higher-level perspective. For example, you can create a group called APAC that includes portfolios for different countries within that region. This provides you an instant view of general metrics, trends, common issues, and other information for all the organizations you are watching in the APAC region.

Hacker Chatter

A scoring factor that is based on mentions of an organization on hacker websites. It has a Low weight.

IP Reputation

A scoring factor that concerns detection of suspicious activity, such as propagation of malware or spam, within an organization’s network. It has a High weight.

Information Leak

A scoring factor that concerns the compromise of an organization’s confidential information, such as user credentials or sensitive data. Scorecard issues that contribute to this factor are based on the monitored deep web chatter and activities of hackers, who may be in possession of the compromised information. It has a Low weight.

issue type

A cybersecurity-related condition that SecurityScorecard identifies in your Scorecard based on analysis of findings gathered about internet-facing assets. Some issue types impact the score and have High, Medium, or Low severity levels, which are proportional to their degree of risk to the organization. 

Other issue types do not impact the score. Those that are labeled Positive in the Scorecard highlight healthy security practices that can mitigate risk. Informational issue types identify areas of potential risk worth inspection, if not urgent action. For example, issue types derived from third-party partner signals are informational.

Note: Issue types that do not impact a score are currently referred to as signals in Ratings Platform. A different definition for signal refers to a data input that SecurityScorecard uses to derive cybersecurity information. See signal.

All issues are grouped into different factor categories.

malicious reputation

Refers to IP addresses that have been placed on public blocklists because suspicious or malicious activity was detected on hem.

measurement

See finding.

N — W

Network Security

A scoring factor that concerns detection of insecure settings or unenforced policies for preventing unauthorized access, misuse, modification, or denial of a network or  network-accessible resources. It has a Medium weight.

passive scanning

A method of vulnerability detection that uses network data captured from a target device instead of directly interacting with that device.

Patching Cadence

A scoring factor that measures how quickly an organization installs newly released security updates for software and operating systems to mitigate risk. It has a Low weight.

Portfolio

A collection of Scorecards that you can organize, so that you can assess cybersecurity activity, metrics, trends, common issues, and other information for multiple organizations.

You can organize portfolios into groups.

risk

Exposure to a possible danger. Exposure can refer to an attack vector, and possible danger can refer to an exploit. 

For example, for the issue type SPF Record Missing, the attack vector is the absence of a Sender Policy Framework (SPF) record in a domain, which can detect email forgery. A known exploit for this is email spoofing, which has been known to result in phishing attacks. 

The discovery of a risk does not indicate that an attack will happen to an organization, but that it has happened to other organizations with the detected attack vector. There could be other considerations related to the discovery, such as compensating controls.

Scorecard

An objective assessment of an organization’s security posture that SecurityScorecard (SSC) generates based on scans of internet-facing IP addresses, which it then correlates into domains and attributes to the organization as its Digital Footprint. 

SSC directly detects—and collects from third parties—signals from these assets that it interprets as issue types, which indicate potential for, or confirmation of, vulnerabilities and exploits. SSC categorizes these issue types into factors, each with its own numeric score based on its determined importance. These factors comprise an overall numeric score and a letter grade (A-F) that appears prominently on the Scorecard. 

Scorecards motivate organizations to monitor their own—and each others’—risk and to take remediating actions to improve their scores. Because SSC’s scanning and data gathering is continuous, and because organizations engage in remediation, scores can fluctuate.

severity level

The degree of risk that an issue type introduces to an organization. The three levels--High, Medium, and Low--negatively impact a Scorecard’s score. Various industry standards and expert evaluations determine the severity level for any given issue type. For example, severity levels for issues that comprise the Patching Cadence factor map directly to Common Vulnerability Scoring System (CVSS) version 2.0 in the National Vulnerability Database.

Severity levels for issue types are different from factor weights. 

signal

A data input that SecurityScorecard uses in developing findings and measurements to make assertions about an organization’s assets and cybersecurity. Our analysis of signals enables us to identify potential vulnerabilities and exploits or to confirm them.

For example, our scanning infrastructure gathers information about websites open ports. That collected data is a signal. The processing and evaluation of that signal results in issues types on the platform, such as High-Severity Vulnerability in Last Observation.

Note: Issue types that do not impact your score are currently also referred to as signals in Ratings Platform. See issue types.

Social Engineering

A scoring factor that measures your organization’s preparedness for attacks that manipulate users into divulging confidential information, providing network access, or enabling the deployment of malware. A phishing campaign is a typical example. Social Engineering has a Low weight.

slot

One Scorecard or Custom Scorecard that is part of the full quota that you can monitor, according to your SecurityScorecard subscription. For example, if your subscription includes five slots, you can monitor five Scorecards.

threat actor

A person or a group that intends to compromise or harm organizations by exploiting gaps in their cyber-defenses. Their motives vary depending on whether they are cyber-criminals, nation-state operatives, ideologues (hactivists), organization insiders, cyber-vandals, or other parties. Alternate terms include malicious actor, bad actor, or actor.

unrecognized campaign

A set methods for carrying out exploits or attacks that are not known to be associated with any specific threat actors. 

vulnerability

A flaw or weakness in an information system, security procedures, internal controls, or implementation that could be exploited by threat actors for malicious purposes. Each known vulnerability is identified by an official common vulnerability enumeration (CVE) and listed in a National Vulnerability Database (NVD), published by the National Institute of Standards and Technology.

weight

A factor's negative score impact, which is calculated to reflect the severity or risk that the factor contributes to the overall cybersecurity posture. A factor weight of High has the greatest negative scoring impact. The other two factor weights, Medium and Low, have progressively less impact. See the Factor definition to link to individual factors and see their weights.

Factor weights are different from severity levels in issue types.