Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/10/2013
08:44 PM
50%
50%

Security Ratings Proliferate As Firms Seek Better Intel

Scoring services seek to measure the security of almost every step of the business supply chain, from suppliers and transactions to applications and services

Wondering whether a mobile app is safe? There's a score for that. What about whether a business partner takes security seriously? There's a score for that, too.

A wave of companies have launched services aimed at giving their customers a better understanding of the risks associated with different components of the business supply chain, from transactions to applications and from cloud services to partners. ThreatMetrix, for example, uses information gleaned from visitors to its customers' websites to place a risk score on transactions that can be used to decide whether a transaction is fraudulent. Startup BitSight mines public security data -- such as blacklists, fast-flux domain lists, and other indicators of compromise -- to assign a rating to its clients' partners.

The push to rate the security of each component of a business promises to give executives and managers more information with which to make decisions, says Sonali Shah, vice president of products for BitSight.

"We are bringing science to the management of security," she says. "The idea is to allow the chief information security officers to go into meetings with businesses and present data used around their decisions."

Security-conscious businesses are already moving toward finding better ways to measure the security posture of their own organizations. Some companies have launched big-data analytics projects to crunch security data and find the signs of potential attacks.

Yet information on the security of the supply chain is not as readily available. Large companies routinely require suppliers to fill out assessments for compliance to a variety of regulations, but verifying the partners' assertions can be difficult. In addition, most companies do not have the expertise to vet the security of a mobile application or to gauge the security of a cloud service, so simplifying the process into a single -- or set of -- ratings is important, says Domingo Guerra, co-founder and president of Appthority. The company offers a service for creating mobile-device security policies based on its analysis of the privacy and security attributes of mobile applications.

"Many companies are afraid of what's going on because they don't understand their current exposure or their current risk," he says.

[A number of services to help companies analyze threats and share intelligence have popped up, but the services have to solve some key problems. See Threat-Intel Sharing Services Emerge, But Challenges Remain.]

Security ratings for different aspects of the business also give companies the ability to turn a binary decision -- good or bad -- into a spectrum of risk. Different companies can have different tolerances of risk and may take different actions based on a particular score, says Peter Liske, vice president of product management for ThreatMetrix. The company uses on-the-fly analysis to determine whether a person visiting one of its client's websites is a legitimate customer or trying to conduct fraud. From a computer with a strangely configured browser to a single device logging into different accounts, a variety of anomalies can tip off the service to possible fraud and result in a lower score, but what constitutes an acceptable risk is up to the company, he says. "The reputation and anomaly-checking is not binary, it is more of a percentage game," Liske says. "It comes down to a decision of how much risk do I want to take in regard to fraud versus how much inconvenience do I want to burden my users with?"

Using ratings also allow a CIO or CISO to have more flexible options -- to limit, rather than block, a low-scoring app, says Sanjay Beri, CEO and founder of startup Netskope, which came out of stealth this week. Netskope, and rival SkyHigh Networks, help their customers discover and manage their cloud services and, as part of that, rate cloud services in terms of security and maturity.

"Allowing an app or blocking an app is not the level of control that a CIO needs," he says. Instead, they should be able to allow but limit the data that can be put into the service, or allow but limit the people who can use the service. "We are giving them a scalpel rather than making them use a sledgehammer," he says.

Finally, most companies do not have the time to continuously re-evaluate the security of each component of their businesses, but regularly updating the metrics is important, says Stephen Boyer, co-founder and chief technology officer of BitSight. Having a service that automatically updates the security rating is the best way to catch changes that could impact the security of the business.

"A lot of the techniques are a single point of time, and what people really want is to have good performance over time," he says. "Security needs to be continuously monitored."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...