Cybersecurity ratings have come a long way since they were first introduced.
Today’s cybersecurity ratings are a guide for uncovering and addressing cybersecurity issues that need to be resolved before they are exploited. In a world where financial institutions have a multitude of vendors with access to sensitive information, ratings help identify third-party vendors that are real-time risks, allowing a financial institution to take action to mitigate the threat.
A detailed cybersecurity rating lets you know which of your vendors are most susceptible to a breach before it happens and helps identify vendors that are not aligned with your institution’s cyber risk appetite.
How do you know if a cybersecurity rating is covering all the bases? Make sure it monitors these key areas:
- Open ports. Monitors ports exposed to the public internet to determine if unnecessary access points exist.
- TLS/SSL certificates. Monitors records to verify accuracy of vendor’s servers and relationships to establish cryptographic trust.
- TLS/SSL configuration. Monitors records to ensure that servers have properly configured security protocol libraries and support strong encryption standards.
- Sender Policy Framework (SPF). Monitors DNS records to identify which mail servers are permitted to send email on behalf of a domain to prevent hackers from forging email.
- Domain Keys Identified Mail (DKIM). Monitors protocols to prevent unauthorized servers from sending email on behalf of a company’s domain.
- Network security. Monitoring for database vulnerabilities, lack of proper network security measures.
- DNS health. Monitoring for multiple DNS configuration settings to determine inappropriate vs. recommended configurations.
- Patching cadence. Monitoring frequency of patching operating systems, services, applications, software, and hardware in a timely manner.
- Endpoint security. Monitoring for protection of a vendor’s laptops, desktops, mobile devices, and all employee devices that access the vendor’s network.
- IP reputation. Monitoring millions of malware signals from all over the world to detect infected IP addresses attributed to vendors to determine a level of risk and the quantity and duration of the infections.
- Web application security. Monitoring for cross-site scripting attacks and SQL injection attacks.
- Mobile application security. Monitors mobile applications in Android and iOS devices connected to the vendor’s network with known security risks that could compromise the vendor’s network.
- Hacker chatter. Monitors hacker communications from multiple streams to determine if a vendor is discussed and/or targeted.
- Leaked credentials. Monitors all sensitive information that is exposed as part of a data breach or leak, keylogger dumps, paste bin dumps, database dumps, and other information repositories, which are associated with vendor email addresses or other vendor dates to access likelihood of a data breach.
- Social engineering. Monitors factors related to social engineering, which include vendor employees using network devices for social networks, personal finances, marketing lists, etc. that can be exploited.
Vendors are not always quick to alert their clients of a cybersecurity issue, and vendors can often be unaware of issues. For example, Scottrade only discovered it had exposed 20,000 customers’ data because an outside white hat researcher uncovered the flaw.
Don’t wait for a vendor to reveal an issue. Make sure you are being as proactive as possible in identifying and mitigating potential vendor data breaches. As a financial institution, you can’t afford to take risks with your reputation.