Attack surface score: How does your organization compare?
The Sweepatic EASM Platform includes an Attack Surface Scoring feature, indicating the status of your external cybersecurity posture. The scoring helps to navigate the attack surface towards prioritized observations and to kickstart the remediation process to make your organization more cyber resilient.
But we often get the question: “What is a good attack surface score? And how does our organization compare to others?” Let’s see what the average scores in the Sweepatic EASM Platform tell us. And keep posted for regular benchmark updates!
The Overall External Attack Surface Score
The overall attack surface score (rated A – F, where A is best) of an organization is built up by aggregating the scores of all internet-facing assets and the six cybersecurity dimensions. We will dive deeper into these dimensions below. The aggregation is done via a weighted average where worse scores receive a higher weight.
In other words, the total score is calculated based on the observed risks and their associated priorities in each of the cybersecurity dimensions: Vulnerabilities, configuration, exposed services, encryption, reputation and hygiene.
Looking at all the organization attack surface scopes in the Sweepatic EASM Platform, we see an average overall score of C. So there is definitely room for improvement.
Let’s have a look at how organizations score per cybersecurity dimension and where they can improve most (and most urgently).
The Score per Cybersecurity Dimension
1. Vulnerabilities: C
Vulnerabilities are reported when Sweepatic finds software versions that have known vulnerabilities. As we take a strong discovery approach, the Sweepatic asset discovery accuracy and completeness is best-in-class, increasing the yield in finding many exposed CVEs, including but not limited, related to infrastructure and (3rd party) web application technologies. The average score for this dimension is C and can be improved by updating software versions.
2. Configuration: D
Configuration risks are elements of IT assets that are not configured according to well-established security best practices. Typical examples include security headers issues and missing or weak SPF and DMARC records. On average, an organization scores a D for this dimension. Score improvement is achieved by
actions such as configuring all records correctly, only set cookies after user consent is received, etc…
3. Exposed service: D
Exposed services are applications that normally should not be directly available on the internet for everyone. Better and more secure architectures and setups exist to securely make use of these services. This dimension also scores a D. This score can be improved by taking the service offline or whitelisting the access.
4. Encryption: E
E is for Encryption. This dimension looks at all your SSL certificates and their validity, expiration date and protocols. Proper encryption prevents data leakage and man-in-the-middle attacks. Also, visiting websites with red error messages in the browser is not great for the reputation and trustworthiness of your brand. This is the worst scoring dimension with an average of E. Improving this score can be realized by securing all connections with up-to-date protocols and making sure every website has a valid and unexpired SSL certificate.
5. Reputation: A
The winner of best scoring cybersecurity dimension is reputation. In these Sweepatic checks, the reputation of discovered IP addresses is verified in external spam and blocklist security services. Reputation issues can lead to service degradation and performance issues. Although the average score is A for this dimension, there is still some room to improve. You can check why your asset is blocklisted, solve the problem and notify the entity blocking you. Alternatively you can set up a new host – that is not blocklisted – after solving the problem.
6. Hygiene: C
Hygiene based risks usually have a low priority, and are not a direct cybersecurity risk. They can be sources for information gathering, or point to online assets that are not setup according to standards, or possible candidates for taking offline. Although not high in priority in terms of risk, the first line of defense against bad actors remains keeping your external attack surface clean and tidy. Therefore, this dimension cannot be underestimated and points out quick wins and forgotten, outdated assets. The score of C indicates there is some work to be done in this category, by fixing unexpected status codes, updating copyright signs to the current year, and avoiding default webserver installations, like Azure, IIS and Plesk.
Some conclusions can be drawn from the findings in the Sweepatic EASM platform:
- Although the Hygiene cybersecurity dimension is listed last in the list, it is very important for your external attack surface management. Use it to find outdated and forgotten websites, websites throwing 404 errors that need updating or can be removed, and other unknown or unwanted assets still facing the internet. This will help make your attack surface smaller and less attractive for bad actors.
- The Sweepatic EASM Platform takes a different approach than a vulnerabilty scanner – we look from the outside in and don’t scan your internal assets – but points out CVEs in your technology stack. This is a valuable extra continuous check for active vulnerability scans you possibly already have in place.
- Making sure your encryption is in order, is an important security check. Still, we see that this dimension scores worst across the attack surfaces in the Sweepatic EASM Platform. Quick wins can be gained here!
Overall, the Sweepatic EASM Platform provides a continuously updated external attack surface overview and status. This helps organizations to improve their cyber resilience, even with small adjustments and quick fixes. Stay ahead of those cybercriminals!