SecurityScorecard glossary

We continuously update this glossary. If you do not see a term you are looking for, submit a Support request to have it added.

A — F

Application Security

A scoring factor that concerns detection of common website application vulnerabilities. 

attribution

The process by which we associate digital assets--IPs and domains--with your Digital Footprint. 

asset

An IP address or domain that is part of a Digital Footprint.

breach

Any incident where parties gain unauthorized access to computer data, applications, networks, or devices. The parties could be intruding threat actors who bypass or penetrate security mechanisms from the internet, or they could be organization insiders who abuse their privileged access to data and resources.

claimed Scorecard

A Scorecard for an organization with at least one active SecurityScorecard platform account. 

Common Vulnerabilities and Exposures (CVE)

A reference system for publicly known information-security vulnerabilities and exposures, each of which has an ID that begins with a CVE- prefix. Learn more.

Common Vulnerability Scoring System (CVSS)

A free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score maps to one of four severity levels (low, medium, high, and critical) to help with vulnerability assessment and prioritization. Learn more.

compensating control

A mechanism or action that satisfies the requirement for a security measure that is deemed too difficult or impractical to implement. To resolve a finding in your Scorecard, you can cite a compensating control. For example, the issue type Outdated Operating System Observed may have two possible compensating controls:

• The detected operating systems are in a guest wireless network that is fully segmented from production infrastructure.
• Your organization has purchased an extended support contract for Windows 7 from Microsoft.

Cubit Score

A scoring factor that measures a variety of security issues and best practices, as with the following issue types:

• Ransomware-Susceptible Remote Access Services Exposed
• Exposed Subdomain

Custom Scorecard

A Scorecard that you can derive from a primary Scorecard to assess a specific segment or cross-section of an organization. You use search filters to isolate the assets that interest you. Once created, a custom Scorecard evolves through its own update cycle. Although it is derived from a primary Scorecard, it is no longer affected by that Scorecard’s changes. 

Digital Footprint

A visual representation of all assets--IPs and domains--that we attribute to an organization's Scorecard. Updating and validating the Digital Footprint is a collaborative process between SecurityScorecard and scored organizations, and it is important for prioritizing the most relevant security issues to address and maintaining an accurate score.

domain

A website's primary URL which has been registered with an entity that is accredited by the Internet Corporation for Assigned Names and Numbers (ICANN). Its component subdomains are not registered, but are instead "created" after the parent domain is registered.

In this example: marketing.thisbusiness.com, marketing is a subdomain, while thisbusiness.com is the registered domain.

decayed finding

An unresolved finding that no longer impacts a score because it has been on a Scorecard for a certain period of time, depending on the issue type. SecurityScorecard considers a finding decayed when: 

• Remediation evidence is not visible from an internet view. For example, the issue may have been remediated behind a gateway. 
• There has been no observed activity for a time period specific to the finding.

DNS Health

A scoring factor that concerns detection of insecure configurations, vulnerabilities, or malicious events in the passive domain name system (DNS) history in a network domain. 

Digital Footprint

A visualization of all the assets that SecurityScorecard attributes to a Scorecard. Interlinked domains and IP addresses comprise the high-level organization of a Digital Footprint, and you can filter the data according to various criteria, such as issue types. 

Endpoint Security

A scoring factor that concerns detection of unprotected endpoints or entry points of user tools, such as desktops, laptops, mobile devices, and virtual desktops.

factor

One of 10 categories of cyber-risk and protection that SecurityScorecard uses to assess and score an organization’s security resilience. Every issue type that appears on a Scorecard is grouped within one of these factor categories. Each factor has a numerical score that reflects the severity or risk that the factor contributes to the overall cybersecurity posture. 

See factor definitions:

• Application Security
• Cubit Score
• DNS Health
• Endpoint Security
• Hacker Chatter
• IP Reputation
• Information Leak
• Network Security
• Patching Cadence
• Social Engineering

finding

A measurement that consists of an asset from a Digital Footprint, a timestamp of the most recent observation, and information that pertains to a specific issue type. If the issue impacts your score, you can remediate the finding to improve your score. When you click an issue type on your Scorecard to learn more about it, you can review each finding for context to help you remediate it. A finding no longer impacts your score after you resolve it, or when it decays.

G — M

Group or Portfolio Group

A collection of portfolios that you can organize to assess the cybersecurity of many organizations from a higher-level perspective. For example, you can create a group called APAC that includes portfolios for different countries within that region. This provides you an instant view of general metrics, trends, common issues, and other information for all the organizations you are watching in the APAC region.

Hacker Chatter

A scoring factor that is based on mentions of an organization on hacker websites. 

IP Reputation

A scoring factor that concerns detection of suspicious activity, such as propagation of malware or spam, within an organization’s network. 

Inactive domain

Domains for which there is no longer evidence that they are related to an organization. These include domains with no related IPs detected and domains that are no longer in the Whois database because their registrations expired.

As a rule for accurate attribution, we do not associate inactive domains with Scorecards.

Information Leak

A scoring factor that concerns the compromise of an organization’s confidential information, such as user credentials or sensitive data. Scorecard issues that contribute to this factor are based on the monitored deep web chatter and activities of hackers, who may be in possession of the compromised information. 

ISO 8061

A universal convention for indicating date and time, developed by the International Organization for Standardization. We use this standard in the SecurityScorecard platform, such as with time-related search queries in Attack Surface Intelligence.

The yyyy-MM-dd'T'HH:mm:ss.SSSZ format displays the following sequence:

• Four-digit year
• Two-digit month
• Two digit day
• Letter T to indicate time
• Two-digit hour
• Two-digit minute
• Two-digit second
• Letter Z to denote the Zero timezone, as it is offset by 0 from the Coordinated Universal Time (UTC)

Example: 2022-04-01T17:37:17.879Z

issue type

A cybersecurity-related condition that SecurityScorecard identifies in your Scorecard based on analysis of findings gathered about internet-facing assets. Some issue types impact the score and have High, Medium, or Low severity levels, which are proportional to their degree of risk to the organization. 

Other issue types do not impact the score. Those that are labeled Positive in the Scorecard highlight healthy security practices that can mitigate risk. Informational issue types identify areas of potential risk worth inspection, if not urgent action. For example, issue types derived from third-party partner signals are informational.

Note: Issue types that do not impact a score are currently referred to as signals in Ratings Platform. A different definition for signal refers to a data input that SecurityScorecard uses to derive cybersecurity information. See signal.

All issues are grouped into different factor categories.

malicious reputation

Refers to IP addresses that have been placed on public blocklists because suspicious or malicious activity was detected on hem.

measurement

See finding.

N — W

Network Security

A scoring factor that concerns detection of insecure settings or unenforced policies for preventing unauthorized access, misuse, modification, or denial of a network or  network-accessible resources. 

passive scanning

A method of vulnerability detection that uses network data captured from a target device instead of directly interacting with that device.

Patching Cadence

A scoring factor that measures how quickly an organization installs newly released security updates for software and operating systems to mitigate risk. 

Portfolio

A collection of Scorecards that you can organize, so that you can assess cybersecurity activity, metrics, trends, common issues, and other information for multiple organizations.

You can organize portfolios into groups.

Projected Score

Your future, adjusted score displayed on your Scorecard after Support approves your request to resolve issue findings or change your Digital Footprint. It reflects what your Scorecard score will be after recalculation based on the approved changes. Learn more about Projected Scores.

risk

Exposure to a possible danger. Exposure can refer to an attack vector, and possible danger can refer to an exploit. 

For example, for the issue type SPF Record Missing, the attack vector is the absence of a Sender Policy Framework (SPF) record in a domain, which can detect email forgery. A known exploit for this is email spoofing, which has been known to result in phishing attacks. 

The discovery of a risk does not indicate that an attack will happen to an organization, but that it has happened to other organizations with the detected attack vector. There could be other considerations related to the discovery, such as compensating controls.

Scorecard

An objective assessment of an organization’s security posture that SecurityScorecard (SSC) generates based on scans of internet-facing IP addresses, which it then correlates into domains and attributes to the organization as its Digital Footprint. 

SSC directly detects—and collects from third parties—signals from these assets that it interprets as issue types, which indicate potential for, or confirmation of, vulnerabilities and exploits. SSC categorizes these issue types into factors, each with its own numeric score based on its determined importance. These factors comprise an overall numeric score and a letter grade (A-F) that appears prominently on the Scorecard. 

Scorecards motivate organizations to monitor their own—and each others’—risk and to take remediating actions to improve their scores. Because SSC’s scanning and data gathering is continuous, and because organizations engage in remediation, scores can fluctuate.

severity level

The degree of risk that an issue type introduces to an organization. The three levels--High, Medium, and Low--negatively impact a Scorecard’s score. Various industry standards and expert evaluations determine the severity level for any given issue type. For example, severity levels for issues that comprise the Patching Cadence factor map directly to Common Vulnerability Scoring System (CVSS) version 2.0 in the National Vulnerability Database.

Severity levels for issue types correspond to different weights or degrees of negative score impact.

signal

A data input that SecurityScorecard uses in developing findings and measurements to make assertions about an organization’s assets and cybersecurity. Our analysis of signals enables us to identify potential vulnerabilities and exploits or to confirm them.

For example, our scanning infrastructure gathers information about websites open ports. That collected data is a signal. The processing and evaluation of that signal results in issues types on the platform, such as High-Severity Vulnerability in Last Observation.

Note: Issue types that do not impact your score are currently also referred to as signals in Ratings Platform. See issue types.

Social Engineering

A scoring factor that measures your organization’s preparedness for attacks that manipulate users into divulging confidential information, providing network access, or enabling the deployment of malware. A phishing campaign is a typical example. 

slot

One Scorecard or Custom Scorecard that is part of the full quota that you can monitor, according to your SecurityScorecard subscription. For example, if your subscription includes five slots, you can monitor five Scorecards.

subdomain

A component of a registered domain.

threat actor

A person or a group that intends to compromise or harm organizations by exploiting gaps in their cyber-defenses. Their motives vary depending on whether they are cyber-criminals, nation-state operatives, ideologues (hactivists), organization insiders, cyber-vandals, or other parties. Alternate terms include malicious actor, bad actor, or actor.

unrecognized campaign

A set methods for carrying out exploits or attacks that are not known to be associated with any specific threat actors. 

vulnerability

A flaw or weakness in an information system, security procedures, internal controls, or implementation that could be exploited by threat actors for malicious purposes. Each known vulnerability is identified by an official common vulnerability enumeration (CVE) and listed in a National Vulnerability Database (NVD), published by the National Institute of Standards and Technology.

weight

An issue's negative score impact, which is calculated to reflect the severity or risk that the issue contributes to the overall cybersecurity posture. A weight of High has the greatest negative scoring impact. The other two weights, Medium and Low, have progressively less impact.