CONTACT US
Third Party Risk Management - Consultancy, Assessment & Advisory

Comprehensive Cyber Risk Scorecards

Actionable, complete & comprehensive risk assessment for your company & third-parties.

The comprehensive cyber risk scorecard enables not only to measure the risk level of a company but also it analyses and prioritises the data to generate an actionable report. The prioritised action list, compliance control and technical details of each finding make security engineers’ lives easier.

You can quickly and comprehensively conduct your third-party risk assessment so you know not only your riskiest assets but also your risky third-parties with:

Nonintrusive scan of your web and dark web presence

Detailed findings based on cyber threat intelligence about you

Hacker reconnaissance! First step of the cyber kill chain

Fully automated system with all findings are validated & prioritised

The comprehensive cyber risk scorecard (CSRS) measures the risk level of your company and analyses and prioritises the data to generate an actionable, letter-grade and color-coded report. The prioritised action list, compliance control and highly technical details of each finding make security engineers’ lives easier.

Black Kite Cyber Risk Scorecard evaluates a company in many different categories. Each category provides specific information about an aspect of a firm’s cybersecurity posture.

Cyber Risk Scorecard Categories

  • Patch Management
    We collect details related to the version number of your systems and software from internet-wide scanners like Censys, Shodan, Zoomeye etc. These version numbers are converted into the corresponding common platform enumeration number (CPE-ID) and are correlated with NIST NVD and MITRE CVSS databases to detect and approximate any unmitigated known vulnerabilities.
  • DNS Health
    We generate a DNS health report from 40+ control items collected from online services like IntoDNS, Robtex, Netcraft, and HackerTarget. Since DNS queries are recursive, it is almost impossible to detect hacker footprints from DNS servers.
  • SSL/TLS Strength
    SSL/TLS configurations and vulnerabilities are provided by several third-party online services. The results come from various online SSL grading services, including Qualys SSL Labs scanner, HTBridge, and Mozilla Website Observatory.
  • IP/Domain Reputation
    An Asset reputation score is based on the number of IPs or domains that are blacklisted or used for sophisticated APT attacks. The reputation feeds are collected from VirusTotal, Cymon, Firehol, BlackList DNS servers, and more.
  • Hacktivist Shares
    Hackers publicize their targets in underground forums or the dark web. Black Kite collects information from hundreds of dark forums, criminal sites and hacktivist sites, and filters the results for the corresponding company.
  • Fraudulent Applications
    Fraudulent or pirate mobile or desktop applications are used to hack/phish employee or customer data. Possible fraudulent or pirate mobile/desktop apps on Google Play, App Store, and pirate app stores are provided.
  • Information Disclosure
    Company employees may disclose local IPs, email addresses, version numbers, whois privacy records or even misconfigure a service in a way that may expose sensitive information to the internet.
  • Brand Monitoring
    Brand monitoring is a business analytics process that monitors various channels on the web or media to gain insight about the company, brand, and anything explicitly connected to the cyberspace.
  • DDoS Resiliency
    This section shows the result of 15 different potential DDoS checks and detects any potential DDoS amplification endpoints. The data is collected from non-intrusive scanners and internet-wide scanners.
  • CDN Security
    A content delivery network (CDN) is a large distributed system of servers deployed in multiple data centres across the Internet. Companies use CDNs for online libraries like JQuery. This section analyses the CDN content to detect possible vulnerabilities.
  • Application Security
    We collect the contents of web applications from various Internet-wide scanners and analyse them for application-level weaknesses, such as Cross Site Request Forgery, Cross Content Mixing, and Plain Text Transmission of Sensitive Information. The results are correlated with the MITRE CWE database to detect the severity level of each finding.
  • Email Security
    We collect vulnerabilities related to potential email servers and SMTP misconfigurations like open relay, unauthenticated logins, restricted relay, and SMTP ‘Verify’ vulnerabilities from online services like MxToolbox and eMailSecurityGrader.
  • Leaked Credentials
    There are more than five billion hacked emails/passwords available on the Internet and underground forums. This section shows the leaked or hacked emails and passwords.
  • Social Network
    Hackers publicize their targets or even victims on social networking sites to motivate other hackers to attack the same target. The results are filtered from billions of social media posts.
  • Fraudulent Domains
    Fraudulent domains and subdomains are extracted from the domain registration database. The registered domains’ database holds more than 300M records.
  • Digital Footprint
    A digital footprint is determined by open ports, services, and application banners. This information is gathered from Black Kite crawlers, Censys, VirusTotal, Robtext, Alexa, Shodan, and others.
  • Attack Surface
    Attack surface is the technical analysis of open critical ports, out-of-date services, application weaknesses, SSL/TLS strength, and any misconfigurations. This information is gathered from Censys and Shodan databases and service/application versions are correlated with Passive Vulnerability Scan results.
  • Network Security
    This section analyses network-level problems and detects any critical ports, unprotected network devices, misconfigured firewalls, and service endpoints.
  • Web Raking
    Cisco, Alexa and Majestic track web sites and rank them according to popularity, back-links, and references. This subcategory shows Alexa and Majestic trends, Google Page insight speed test results, as well as Web Content Accessibility Guidelines (WCAG) 2.0 parsing compliance findings.
  • Website Security
    This is a special analysis of a company’s main website. We collect findings related to your SSL/TLS strength, patch management, application security, web ranking and brand monitoring.

The Methodology of Cyber Risk Scoring

Cyber Threat Susceptibility Assessment (CTSA) is a methodology for evaluating the susceptibility of a system to cyber-attack developed by MITRE. CTSA quantitatively assesses a system’s inability to resist cyber-attack over a range of catalogued attack Tactics, Techniques, and Procedures (TTPs).

To generate the scorecard, Black Kite needs only the company domain. The engine collects the related information from VirusTotal, Passive DNs servers, web search engines, and other Internet wide scanners as well as Black Kite’s proprietary databases, which hold more than 10 billion historic items. The engine searches the database in order to find all IP address ranges and domain names that belong to the company. Black Kite uses what is called Open Source Intelligence (OSINT) to gather information. The following map shows how hackers can leverage their attack vectors by using OSINT resources like hacker forums, social networks, Google, leaked database dumps, paste sites, or even legitimate security services like VirusTotal, Censys, Cymon, Shodan, or Google Safe Browsing.

Critically, Black Kite does all of this without scanning or modifying any of the organisation’s business assets.

Cyber Risk delivered in One Simple Report

This data is compiled into a simple, readable report with letter-grade scores to help identify and mitigate potential security risks. It identifies the risks (CVE/CWE), the risk score of the corresponding vulnerabilities / weaknesses (CVSS/CWSS), and attack patterns (CAPEC / FIPS-199 impact level). The report also classifies the findings into

  • FISMA Cyber Security Framework Area and Maturity Level,
  • NIST 800-53 Control Family,
  • FIPS-200 Area, and
  • NIST 800-37 Process Steps

Request Your Free Cybersecurity Rating & Demonstration

Receive a Free Cybersecurity Rating to know the cyber risks of your organisation or one of your critical third-parties. Simply register here for your free report including:
  • A technical, financial, and compliance rating of your company or any vendor in your ecosystem
  • Ransomware Susceptibility Index (RSI) rating, determining how likely you or a vendor in your ecosystem is to experience a ransomware attack
  • Accurate ratings calculated using open-source intelligence and industry standards, like MITRE and NIST, to further confirm the criticality of each threat
  • The opportunity to schedule a free meeting with a DVV Solutions representative to further understand your organisation’s cyber posture
Call today 0161 476 8700

or Submit a Contact Form

Download

Why choose us?

We are specialists in Third Party Risk Management with over 20 years of experience in Cyber Security and Governance, Risk & Compliance and a dedicated team of experienced IT Security Assurance Consultants.
We are a vendor agnostic, managed service provider that is able to focus on delivering a TPRM program built around your specific risk-based, organisational and regulatory requirements.
We are a Shared Assessments Program member and recognised Assessment Firm with certified IT Security Assurance Consultants able to deliver a comprehensive service based on industry standards and best practice.