Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Security Management Glossary

Security Rating - Sicherheitsbewertung (BitSight, SecurityScorecard)

Security ratings are continuous, automated assessments of an organization’s cybersecurity on a scale (typically 0–900 or A–F), based on publicly visible indicators: open ports, SSL configuration, DNS records, dark web entries, and compromised systems. Providers such as BitSight, SecurityScorecard, and Riskrecon are used for vendor risk assessments, cyber insurance, and executive reporting.

Security Ratings are the "credit score" of cybersecurity—similar to SCHUFA for creditworthiness, but for IT security. BitSight claims: "Companies with a BitSight score below 640 are 7.7 times more likely to suffer a data breach." Cyber insurers use security ratings as an underwriting factor. Procurement teams review supplier scores before signing contracts. CISOs use their own scores in executive reporting.

How Security Ratings Work

Data sources for Security Ratings (all external/passive):

Technical signals:
  → Internet scanning (Shodan, Censys): open ports, services, versions
  → SSL/TLS configuration: TLS version, certificate validity, cipher suites
  → Email security: Are SPF, DMARC, and DKIM present and configured?
  → DNS configuration: Is DNSSEC enabled? Are there open DNS resolvers?
  → HTTP security headers: CSP, HSTS, X-Frame-Options, etc.
  → Web application fingerprints: identifiable software versions

Signs of compromise:
  → Botnet traffic: Is the IP sending spam or C2 traffic?
  → Malware hosting: Have malware samples been distributed from this IP?
  → Phishing hosting: Are phishing sites running on the domain?
  → Sinkhole data: Has the IP connected to C2 servers?
  → Ransomware leak sites: Does the company appear on leak sites?

Dark Web:
  → Credential leaks: Email/password combinations on the dark web?
  → Breach mentions: Does the organization appear in breach data?
  → Threat Actor Mentions: Are threat actors discussing the company?

Score Calculation:
  BitSight:       0–900 (700+ = good, <600 = poor)
  SecurityScorecard: A–F (A = very good, F = very poor)
  Riskrecon:      0–10 (9–10 = excellent)

  Factor Weighting (SecurityScorecard Example):
  - Application Security:      20%
  - Network Security:          20%
  - DNS Health:                10%
  - Patching Cadence:          20%
  - Endpoint Security:         10%
  - IP Reputation:             10%
  - Web Application Scanning:  5%
  - Cubit Score:               5% (complex signals)

Comparison of Major Providers

BitSight Technologies:
  Scale:       250-900 (700+ = "Advanced", <600 = "Basic" or worse)
  Strength:      Largest data collection, most commonly used for cyber insurance
  Special feature: "Evidence Ratings" – concrete findings, not just a score
  Use:     Cyber insurance (most common use)
  Price:       Enterprise, prices upon request

SecurityScorecard:
  Scale:       A–F + numerical score (0–100)
  Strength:      Best UI, understandable for non-technical executives
  Special feature: 10 categories with individual scores, industry comparison
  Usage:     Vendor risk management, executive reporting
  Price:       Basic version free (own score), premium features require payment

Riskrecon (Mastercard):
  Scale:       0-10
  Strength:      Most detailed technical findings
  Special feature: Deepest asset detection (subdomains, cloud assets)
  Use:     Detailed vendor assessment
  Price:       Enterprise

Panorays:
  Strength:      Supply chain focus, including non-technical factors (compliance questionnaire)
  Use:     Third-party risk management with supplier self-disclosure
  Special feature: Combines passive scans + active questionnaires

Upguard:
  Scale:       0-950
  Strength:      Comprehensive security checks, good API
  Price:       Also for SMEs (starter packages available)

Free Self-Assessment:
  SecurityScorecard: securityscorecard.com → Get your own score for free
  Mozilla Observatory: observatory.mozilla.org → Web security check
  ImmuniWeb: immuniweb.com/websec → Web security check
  SSL Labs:   ssllabs.com/ssltest → TLS score

BitSight Self-Assessment:
  → BitSight Free: basic score available (portfolio)
  → Similar free alternative: Shodan Monitor

Security Ratings for Vendor Risk Management

Third-Party Risk Management (TPRM) with Security Ratings:

Why is this important?
  → 60% of all data breaches involve third-party vendors (Ponemon 2024)
  → Supply chain attacks: SolarWinds, Kaseya, MOVEit
  → ISO 27001 A.5.21: Security in the supply chain
  → NIS2 Art. 21: Supply chain security as a requirement

TPRM process with security ratings:

  Tier classification of suppliers:
    Tier 1 (Critical):   Access to critical systems/data
                         → SecurityScorecard + Detailed questionnaire + Audit
    Tier 2 (Important):    Limited systems/data access
                         → SecurityScorecard + Standard questionnaire
    Tier 3 (Standard):   No significant data access
                         → SecurityScorecard score + self-attestation

  Onboarding new suppliers:
    □ Retrieve SecurityScorecard score (< 1 minute!)
    □ Score < 70 (F/D): Supplier must submit a corrective action plan
    □ Critical issues (malware hosting, open port 22): immediate clarification
    □ Good score: Send questionnaire (simplified if necessary)

  Ongoing Monitoring (Continuous Monitoring):
    → Alerts if score deteriorates (e.g., score drops by >20 points)
    → Alert for new critical issues (malware, breach mention)
    → Quarterly review of Tier 1 suppliers

  Sample policy (supplier SLAs):
    Tier 1 supplier: Minimum SecurityScorecard score = B (>80)
    If score drops to C: 30-day corrective action plan
    If score drops to D/F: 14 days, escalation to CISO
    Malware hosting detected: immediate contact, 72 hours for clarification

  Reporting to management:
    → Average supplier score (trend)
    → Number of suppliers below minimum score
    → Critical issues in the supplier portfolio
    → "We have 3 Tier 1 suppliers with a score below 70 – measures initiated"

Security Ratings in Cyber Insurance

Cyber insurers use security ratings as an underwriting factor:

How insurers use security ratings:
  Premium calculation: lower score → higher premium
  Risk exclusions: certain issues → exclusion from coverage
  Onboarding: Score below threshold → more underwriting questions
  Renewal: Score deterioration → premium adjustment

BitSight + Insurance Market:
  → BitSight is the industry standard among U.S. insurers (Berkshire, Aspen, etc.)
  → Increasingly also in Germany (market still developing)
  → "BitSight Score < 640 = significantly higher premium quote or rejection"

Improvements that quickly boost the score:
  Low-hanging fruit (quick impact):
    □ Email security: Configure SPF/DMARC/DKIM → immediate score increase
    □ HTTPS everywhere: fix missing HTTPS redirects
    □ Close open ports: block unnecessary ports in the firewall
    □ Renew SSL certificate: expired certificate → immediate score loss
    □ Compromised IPs: resolve bot traffic issues (hosting provider!)

  Medium term (weeks):
    □ Patch management: Identify unpatched software versions
    □ HTTP security headers: Implement HSTS, CSP, X-Frame-Options
    □ Outdated TLS versions: Disable TLS 1.0/1.1

  Long term (months):
    □ Reputation: Malware/spam hosting history improves over time
    □ Asset discovery: Secure or delete unknown subdomains

Why security ratings are not a complete security assessment:
  → Only external, passive signals—no insight into internal systems
  → No measurable phishing simulations or awareness training
  → No internal network, no AD, no endpoint status
  → "Security theater": good score ≠ no internal weaknesses
  → Real value: attacker perspective + vendor monitoring + benchmarking
  → Complement: Security rating + pentest + SIEM + awareness = complete picture

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation