SlideShare a Scribd company logo

Review on 3rd-party Cyber Risk Assessment and Scoring Tools

NormShield
NormShield

A recent survey conducted by Ponemon Institute reveals that 56% of companies have experienced a 3rd-party breach in 2017, which is an increase of 7% compared to previous year. Another survey conducted by Deloitte in 2016 was more depressive, reporting that 87% of organizations have experienced a disruptive incident with third-parties in the last 2-3 years. Another research in 2016, sourced by Soha Systems, reports that 63% of all breaches were related to third parties. The findings in these studies confirm that third-party cyber risk assessment is a must. The goal of this paper is to provide a review on third-party cyber risk assessment/scoring tools that automatically gather and analyze open source data and provide a risk score/security rating.

Technology
1 of 12
2018 Guide to Select 3rd Party Cyber-Risk Assessment Tool A Review of Third-Party Cyber-Risk Assessment & Scoring Tools
1 2018 Guide to Select 3rd Party Cyber-Risk Assessment Tool A Review of third-party Cyber-Risk Assessment Tools Introduction A recent survey conducted by Ponemon Institute reveals that 56% of companies have experienced a 3rd-party breach in 2017, which is an increase of 7% compared to previous year. Another survey conducted by Deloitte in 2016 was more depressive, reporting that 87% of organizations have experienced a disruptive incident with third-parties in the last 2-3 years. Another research in 2016, sourced by Soha Systems, reports that 63% of all breaches were related to third parties. The findings in these studies confirm that third-party cyber risk assessment is a must. The goal of this paper is to provide a review on third-party cyber risk assessment/scoring tools that automatically gather and analyze open source data and provide a risk score/security rating.
What is Third-Party Third-parties include broad range of companies you directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. Even the JavaScript that is added to your website for analytics may cause a breach by exposing the information of people that visit your website. Recent hacks (like CCleaner in 2017) exposed backdoors to well-known software have confirmed that the definition of third-party should not be limited to only the companies that you directly work with. Even IoT devices can be considered as a third-party and can be source of a breach. Very recently a casino was hacked through its Internet- connected thermometer in an aquarium in the lobby of the casino. For more info on third-party cyber risk, check out our 2018 third-party cyber risk report here.
3 Breaches Caused by Third-Parties The figure below shows recent breaches/incidents caused by third-parties, varying from law, accounting, HVAC firms to companies that provide web hosting, data management, e-mail services, etc.
How to Assess Third-Party Risk? Many companies either do not conduct any assessment of the cyber risk of third-parties or use old-school questionnaire methodology (they send a list of questions for third-parties to answer). First of all, questionnaire-based assessment is very time consuming (even though there are some online tools that simplify the process) and answers are not reliable. Even if we assume that answers are correct and we gather the results quickly, there might be some cyber risks that are invisible to third-party. This type of “hidden” risks can only be detected by gathering cyber threat intelligence and evaluating the risk. Fortunately, there are several platforms that gather third-party cyber risk data and provide a risk score or security rating for companies. The information gathering is done by a method called “passive scan” where non-intrusive methods are used and company assets remain untouched. It is basically a hacker’s view of the third-parties external cyber risk. The open-source intelligence data is collected from many feeds such as reputation services, hacker sites/forums, vulnerability databases, Internet-wide scanners, social media, paste sites, black markets, underground forums, etc. Information gathering should be done for the company of interest and any related third-party company.
5 Key Players The top players that provide such cyber risk scoring through passive scanning are BitSight, NormShield, Security Scorecard, UpGuard, and Riskrecon. They all provide risk scores or security ratings for any company. This type of cyber risk assessment can be used for suppliers, joint- ventures, target acquisitions, franchisees, cyber insurance customers, etc. There are also some new players like iTrust and Paris-based company Cyrating. Also few 10+ year-old cybersecurity companies such as RiskIQ, RiskSense, Tenable have been working on cyber risk scoring products and their contribution to this niche market will make it more competitive.
Comparison In this study, we compare the key players’ cyber risk scoring products with NormShield’s Cyber Risk Scorecard. Herein after, we will use notations Company A, B, C, and D for competitors. Methodology Since the methodology and data resources are similar, the differentiating factors are data quality, technical depth, reliability (true positive), coverage (true negative), usability and reporting capabilities. The ideal scorecard should sufficiently cover the target company’s and related third- parties’ assets and must exclude any findings that belong to other companies. In other words, the scoring system should be highly reliable (high true positive rate) and consistent (less false negative).
7 Threat Vectors Considered We first look at the threat vectors covered. The number of threat vectors indicates the scorecard scope. As seen in the figure below, NormShield provides a large scope for risk scoring. There are some threat vectors, such as DDoS resiliency that other products do not cover. The ability to keep the scope large comes from the broad digital footprint information gathered. NormShield scorecard collects all domains, subdomains, IP addresses, DNS records, services, emails, ASNs, social media accounts, and company information with its proprietary algorithms. A large digital footprint intel with sensitive false-positive elimination (by computer and human analysts) gives a jump start to NormShield compared to others. Because it increases the visibility and reliability. The below figure shows that Company C’s product has the narrowest scope. Even though they provide a quick scoring, the information they gather is not sufficient to give a reliable score. They also provide breach information if an add-on feature is separately purchased. Company D has a larger but limited scope that covers some essential threat vectors. Company A and B have both large scopes and provide additional information such as Endpoint Security or Software Security, but they miss threat vectors such as DDoS Resiliency, CDN Security, etc. Another downside of Company A is that it does not monitor fraudulent domains, which are the main source of phishing attacks that target the customers and/or employees of a company.
Scoring There are no standards on scoring methodologies (yet) for risk scoring products. An easy-to- understand and consistent scoring is very important when assessing the cyber risk posture of your own company and your third-parties. Some companies used numeric scoring (0 to 900 scoring) and some use letter grades ( A to F scoring). NormShield uses both A to F letter grades and percentage (0 to 100 percent) for overall score and all risk categories. Company A has a similar scoring/grading system. Company B, on the other hand, provide a 0 to 1000 overall score and A to F letter grades for subcategories. Company C shows only one score (0 to 1000) and does not provide scores for risk vectors. Finally, Company D provide 0 to 10 score for both overall and subcategories.
9 Reporting and Alerting An ideal third-party cyber risk scoring tool should provide useful reports for risk remediation and mitigation and also provide alerts for important risk factors (such as leaked info) via e-mail or SMS. NormShield Cyber Risk Scorecard provides very rich reports for each risk factor discovered with suggestions for mitigating the risk and also generates alerts via e-mail to notify IT security personnel about critical issues. Company A has similar features for reporting and alerting. Company D goes one step forward and creates a priority matrix based on severity of expected damage and importance of the asset that can be affected. Though, it is questionable how they determine importance of an asset. While Company B does not provide an easy-to-generate report for remediation of risks, Company C does not give any suggestion at all.
Conclusion In this paper, we provide a review on third-party cyber risk scoring tools that automatically gather information and provide a risk assessment. We evaluated top players in the market and compared their scorecard scope (number of threat vectors considered), digital footprint, scoring methodology, and reporting/alerting systems. We see that the NormShield Cyber Risk Scorecard provides a larger scope with discovery of a larger digital footprint, has a consistent and easy-to-understand scoring, and generates rich reports and alerts.
11 About NormShield The NormShield cyber risk scorecards provide actionable and easy to understand cyber risk information to business executives while providing detailed technical data and remediation recommendations to IT security personnel. With NormShield, organizations are able to perform nonintrusive cyber risk assessments to ascertain what hackers know about their external security posture and the cyber risk posture their third-parties (suppliers, target acquisitions, cyber insurance customers, etc.). NormShield’s Cyber Risk Scorecards evaluate relevant cyber security of categories and provide a score in each as well as the ability to drill down for additional information about the factors that contributed to each score. To get company/organization’s cyber risk scorecard, please visit https://www.normshield.com and click on Learn Now. www.normshield.com 1 (571) 335 0222 info@normshield.com NormShield HQ 8200 Greensboro Drive Suite 900 McLean, VA 22102

Recommended

Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
Scalar Decisions
 
3rd Part Cyber Risk Report - 2018
3rd Part Cyber Risk Report - 20183rd Part Cyber Risk Report - 2018
3rd Part Cyber Risk Report - 2018
NormShield
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOUHOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
NormShield
 
SecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportSecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_Report
Alex Himmelberg
 
2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report
Owen Bartolome
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 

Recommended

Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
Scalar Decisions
 
3rd Part Cyber Risk Report - 2018
3rd Part Cyber Risk Report - 20183rd Part Cyber Risk Report - 2018
3rd Part Cyber Risk Report - 2018
NormShield
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOUHOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
NormShield
 
SecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportSecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_Report
Alex Himmelberg
 
2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report
Owen Bartolome
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
Accenture Insurance
 
Cost of Cybercrime 2017
Cost of Cybercrime 2017Cost of Cybercrime 2017
Cost of Cybercrime 2017
Paperjam_redaction
 
2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture
job Titri company
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
Δρ. Γιώργος K. Κασάπης
 
Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.
Universidad Cenfotec
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
patmisasi
 
IT Security Risks Survey 2014
IT Security Risks Survey 2014IT Security Risks Survey 2014
IT Security Risks Survey 2014
- Mark - Fullbright
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
- Mark - Fullbright
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secure
Meg Weber
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious Game
Tatainteractive1
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
sukiennong.vn
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data security
Ulf Mattsson
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco system
David Sweigert
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
Bala Guntipalli ♦ MBA
 
Enterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to AdaptEnterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to Adapt
Capgemini
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
Jeremiah Grossman
 
Interset-advanced threat detection wp
Interset-advanced threat detection wpInterset-advanced threat detection wp
Interset-advanced threat detection wp
CMR WORLD TECH
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
Jeremiah Grossman
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
Rahul Tyagi
 
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
rsouthal2003
 

More Related Content

What's hot

Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
patmisasi
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
Jeremiah Grossman
 

What's hot (20)

The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
 
Cost of Cybercrime 2017
Cost of Cybercrime 2017Cost of Cybercrime 2017
Cost of Cybercrime 2017
 
2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
 
Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
 
IT Security Risks Survey 2014
IT Security Risks Survey 2014IT Security Risks Survey 2014
IT Security Risks Survey 2014
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secure
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious Game
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data security
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco system
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
Enterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to AdaptEnterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to Adapt
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Interset-advanced threat detection wp
Interset-advanced threat detection wpInterset-advanced threat detection wp
Interset-advanced threat detection wp
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 

Similar to Review on 3rd-party Cyber Risk Assessment and Scoring Tools

Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
rsouthal2003
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
Chad Korosec
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
sraina2
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Consider the security of a personal computer. List a few of the atta.pdf
Consider the security of a personal computer. List a few of the atta.pdfConsider the security of a personal computer. List a few of the atta.pdf
Consider the security of a personal computer. List a few of the atta.pdf
lejeunehayneswowel96
 

Similar to Review on 3rd-party Cyber Risk Assessment and Scoring Tools (20)

Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
 
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
 
Third party risk management with cyber threat intelligence
Third party risk management with cyber threat intelligenceThird party risk management with cyber threat intelligence
Third party risk management with cyber threat intelligence
 
Alert logic cloud security report
Alert logic cloud security reportAlert logic cloud security report
Alert logic cloud security report
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 
A Comprehensive Approach To Third Party Risk Management White Paper 20180103
A Comprehensive Approach To Third Party Risk Management White Paper 20180103A Comprehensive Approach To Third Party Risk Management White Paper 20180103
A Comprehensive Approach To Third Party Risk Management White Paper 20180103
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party Risk
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
Big Data Analytics Solutions
Big Data Analytics SolutionsBig Data Analytics Solutions
Big Data Analytics Solutions
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
 
Consider the security of a personal computer. List a few of the atta.pdf
Consider the security of a personal computer. List a few of the atta.pdfConsider the security of a personal computer. List a few of the atta.pdf
Consider the security of a personal computer. List a few of the atta.pdf
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
PCI COMPLIANCE REPORT
PCI COMPLIANCE REPORTPCI COMPLIANCE REPORT
PCI COMPLIANCE REPORT
 
Verizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xgVerizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xg
 
Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]Scalar security study2017_slideshare_rev[1]
Scalar security study2017_slideshare_rev[1]
 

More from NormShield

More from NormShield (8)

Major 3rd-Party Data Breaches Of 2018
Major 3rd-Party Data Breaches Of 2018Major 3rd-Party Data Breaches Of 2018
Major 3rd-Party Data Breaches Of 2018
 
Normshield 2018 Airlines Phishing Report
Normshield 2018 Airlines Phishing ReportNormshield 2018 Airlines Phishing Report
Normshield 2018 Airlines Phishing Report
 
Are There Any Domains Impersonating Your Company For Phishing?
Are There Any Domains Impersonating Your Company For Phishing?Are There Any Domains Impersonating Your Company For Phishing?
Are There Any Domains Impersonating Your Company For Phishing?
 
NormShield Cyber Risk Rating October 18
NormShield Cyber Risk Rating October 18NormShield Cyber Risk Rating October 18
NormShield Cyber Risk Rating October 18
 
NormShield Supply Chain Risk Management Infographic
NormShield Supply Chain Risk Management InfographicNormShield Supply Chain Risk Management Infographic
NormShield Supply Chain Risk Management Infographic
 
Third-Party Risk in Regulations
Third-Party Risk in RegulationsThird-Party Risk in Regulations
Third-Party Risk in Regulations
 
NormShield Crypto Currency Report 2018
NormShield Crypto Currency Report 2018NormShield Crypto Currency Report 2018
NormShield Crypto Currency Report 2018
 
NormShield 2018 Cyber Security Risk Brief
NormShield 2018 Cyber Security Risk BriefNormShield 2018 Cyber Security Risk Brief
NormShield 2018 Cyber Security Risk Brief
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Review on 3rd-party Cyber Risk Assessment and Scoring Tools

  • 1. 2018 Guide to Select 3rd Party Cyber-Risk Assessment Tool A Review of Third-Party Cyber-Risk Assessment & Scoring Tools
  • 2. 1 2018 Guide to Select 3rd Party Cyber-Risk Assessment Tool A Review of third-party Cyber-Risk Assessment Tools Introduction A recent survey conducted by Ponemon Institute reveals that 56% of companies have experienced a 3rd-party breach in 2017, which is an increase of 7% compared to previous year. Another survey conducted by Deloitte in 2016 was more depressive, reporting that 87% of organizations have experienced a disruptive incident with third-parties in the last 2-3 years. Another research in 2016, sourced by Soha Systems, reports that 63% of all breaches were related to third parties. The findings in these studies confirm that third-party cyber risk assessment is a must. The goal of this paper is to provide a review on third-party cyber risk assessment/scoring tools that automatically gather and analyze open source data and provide a risk score/security rating.
  • 3. What is Third-Party Third-parties include broad range of companies you directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. Even the JavaScript that is added to your website for analytics may cause a breach by exposing the information of people that visit your website. Recent hacks (like CCleaner in 2017) exposed backdoors to well-known software have confirmed that the definition of third-party should not be limited to only the companies that you directly work with. Even IoT devices can be considered as a third-party and can be source of a breach. Very recently a casino was hacked through its Internet- connected thermometer in an aquarium in the lobby of the casino. For more info on third-party cyber risk, check out our 2018 third-party cyber risk report here.
  • 4. 3 Breaches Caused by Third-Parties The figure below shows recent breaches/incidents caused by third-parties, varying from law, accounting, HVAC firms to companies that provide web hosting, data management, e-mail services, etc.
  • 5. How to Assess Third-Party Risk? Many companies either do not conduct any assessment of the cyber risk of third-parties or use old-school questionnaire methodology (they send a list of questions for third-parties to answer). First of all, questionnaire-based assessment is very time consuming (even though there are some online tools that simplify the process) and answers are not reliable. Even if we assume that answers are correct and we gather the results quickly, there might be some cyber risks that are invisible to third-party. This type of “hidden” risks can only be detected by gathering cyber threat intelligence and evaluating the risk. Fortunately, there are several platforms that gather third-party cyber risk data and provide a risk score or security rating for companies. The information gathering is done by a method called “passive scan” where non-intrusive methods are used and company assets remain untouched. It is basically a hacker’s view of the third-parties external cyber risk. The open-source intelligence data is collected from many feeds such as reputation services, hacker sites/forums, vulnerability databases, Internet-wide scanners, social media, paste sites, black markets, underground forums, etc. Information gathering should be done for the company of interest and any related third-party company.
  • 6. 5 Key Players The top players that provide such cyber risk scoring through passive scanning are BitSight, NormShield, Security Scorecard, UpGuard, and Riskrecon. They all provide risk scores or security ratings for any company. This type of cyber risk assessment can be used for suppliers, joint- ventures, target acquisitions, franchisees, cyber insurance customers, etc. There are also some new players like iTrust and Paris-based company Cyrating. Also few 10+ year-old cybersecurity companies such as RiskIQ, RiskSense, Tenable have been working on cyber risk scoring products and their contribution to this niche market will make it more competitive.
  • 7. Comparison In this study, we compare the key players’ cyber risk scoring products with NormShield’s Cyber Risk Scorecard. Herein after, we will use notations Company A, B, C, and D for competitors. Methodology Since the methodology and data resources are similar, the differentiating factors are data quality, technical depth, reliability (true positive), coverage (true negative), usability and reporting capabilities. The ideal scorecard should sufficiently cover the target company’s and related third- parties’ assets and must exclude any findings that belong to other companies. In other words, the scoring system should be highly reliable (high true positive rate) and consistent (less false negative).
  • 8. 7 Threat Vectors Considered We first look at the threat vectors covered. The number of threat vectors indicates the scorecard scope. As seen in the figure below, NormShield provides a large scope for risk scoring. There are some threat vectors, such as DDoS resiliency that other products do not cover. The ability to keep the scope large comes from the broad digital footprint information gathered. NormShield scorecard collects all domains, subdomains, IP addresses, DNS records, services, emails, ASNs, social media accounts, and company information with its proprietary algorithms. A large digital footprint intel with sensitive false-positive elimination (by computer and human analysts) gives a jump start to NormShield compared to others. Because it increases the visibility and reliability. The below figure shows that Company C’s product has the narrowest scope. Even though they provide a quick scoring, the information they gather is not sufficient to give a reliable score. They also provide breach information if an add-on feature is separately purchased. Company D has a larger but limited scope that covers some essential threat vectors. Company A and B have both large scopes and provide additional information such as Endpoint Security or Software Security, but they miss threat vectors such as DDoS Resiliency, CDN Security, etc. Another downside of Company A is that it does not monitor fraudulent domains, which are the main source of phishing attacks that target the customers and/or employees of a company.
  • 9. Scoring There are no standards on scoring methodologies (yet) for risk scoring products. An easy-to- understand and consistent scoring is very important when assessing the cyber risk posture of your own company and your third-parties. Some companies used numeric scoring (0 to 900 scoring) and some use letter grades ( A to F scoring). NormShield uses both A to F letter grades and percentage (0 to 100 percent) for overall score and all risk categories. Company A has a similar scoring/grading system. Company B, on the other hand, provide a 0 to 1000 overall score and A to F letter grades for subcategories. Company C shows only one score (0 to 1000) and does not provide scores for risk vectors. Finally, Company D provide 0 to 10 score for both overall and subcategories.
  • 10. 9 Reporting and Alerting An ideal third-party cyber risk scoring tool should provide useful reports for risk remediation and mitigation and also provide alerts for important risk factors (such as leaked info) via e-mail or SMS. NormShield Cyber Risk Scorecard provides very rich reports for each risk factor discovered with suggestions for mitigating the risk and also generates alerts via e-mail to notify IT security personnel about critical issues. Company A has similar features for reporting and alerting. Company D goes one step forward and creates a priority matrix based on severity of expected damage and importance of the asset that can be affected. Though, it is questionable how they determine importance of an asset. While Company B does not provide an easy-to-generate report for remediation of risks, Company C does not give any suggestion at all.
  • 11. Conclusion In this paper, we provide a review on third-party cyber risk scoring tools that automatically gather information and provide a risk assessment. We evaluated top players in the market and compared their scorecard scope (number of threat vectors considered), digital footprint, scoring methodology, and reporting/alerting systems. We see that the NormShield Cyber Risk Scorecard provides a larger scope with discovery of a larger digital footprint, has a consistent and easy-to-understand scoring, and generates rich reports and alerts.
  • 12. 11 About NormShield The NormShield cyber risk scorecards provide actionable and easy to understand cyber risk information to business executives while providing detailed technical data and remediation recommendations to IT security personnel. With NormShield, organizations are able to perform nonintrusive cyber risk assessments to ascertain what hackers know about their external security posture and the cyber risk posture their third-parties (suppliers, target acquisitions, cyber insurance customers, etc.). NormShield’s Cyber Risk Scorecards evaluate relevant cyber security of categories and provide a score in each as well as the ability to drill down for additional information about the factors that contributed to each score. To get company/organization’s cyber risk scorecard, please visit https://www.normshield.com and click on Learn Now. www.normshield.com 1 (571) 335 0222 info@normshield.com NormShield HQ 8200 Greensboro Drive Suite 900 McLean, VA 22102