Comprehensive Cyber Risk Scorecard

Comprehensive Cyber Risk Security Scorecard

Actionable, complete and comprehensive risk assessment for your company or third- party vendors.

The comprehensive cyber risk scorecard enables not only to measure the risk level of a company but also it analysis and prioritizes the data to generate an actionable report. The prioritized action list, compliance control and technical details of each finding make security engineers’ lives easier. You can quickly and comprehensively conduct your third-party risk assessment so you know not only your riskiest assets but also your risky vendors.

  • Nonintrusive scan of your web and dark web presence
  • Detailed findings based on cyber threat intelligence about you
  • Hacker reconnaissance! First step of the cyber kill chain
  • Fully automated. All findings are validated & prioritized
  • Self risk assessment or third-party risk management

NormShield Risk Categories

The comprehensive cyber risk scorecard (CSRS) measures the risk level of your company and analyzes and prioritizes the data to generate an actionable, letter-grade and color-coded report. The prioritized action list, compliance control and highly technical details of each finding make security engineers’ lives easier. You can quickly and comprehensively conduct your self-assessment or third-party risk assessment. NormShield Cyber Risk Scorecard evaluates a company in many different categories. Each category provides specific information about an aspect of a firm’s cybersecurity posture.

  • Patch Management

    We collect details related to the version number of your systems and software from internet-wide scanners like Censys, Shodan, Zoomeye etc. These version numbers are converted into the corresponding common platform enumeration number (CPE-ID) and are correlated with NIST NVD and MITRE CVSS databases to detect and approximate any unmitigated known vulnerabilities.

  • DNS Health

    We generate a DNS health report from 40+ control items collected from online services like IntoDNS, Robtex, Netcraft, and HackerTarget. Since DNS queries are recursive, it is almost impossible to detect hacker footprints from DNS servers.

  • SSL/TLS Strength

    SSL/TLS configurations and vulnerabilities are provided by several third-party online services. The results come from various online SSL grading services, including Qualys SSL Labs scanner, HTBridge, and Mozilla Website Observatory.

  • IP/Domain Reputation

    An Asset reputation score is based on the number of IPs or domains that are blacklisted or used for sophisticated APT attacks. The reputation feeds are collected from VirusTotal, Cymon, Firehol, BlackList DNS servers, and more.

  • Hacktivist Shares

    Hackers publicize their targets in underground forums or the dark web. NormShield collects information from hundreds of dark forums, criminal sites and hacktivist sites, and filters the results for the corresponding company.

  • Fraudulent Applications

    Fraudulent or pirate mobile or desktop applications are used to hack/phish employee or customer data. Possible fraudulent or pirate mobile/desktop apps on Google Play, App Store, and pirate app stores are provided.

  • Information Disclosure

    Company employees may disclose local IPs, email addresses, version numbers, whois privacy records or even misconfigure a service in a way that may expose sensitive information to the internet.

  • Brand Monitoring

    Brand monitoring is a business analytics process that monitors various channels on the web or media to gain insight about the company, brand, and anything explicitly connected to the cyberspace.

  • DDoS Resiliency

    This section shows the result of 15 different potential DDoS checks and detects any potential DDoS amplification endpoints. The data is collected from non-intrusive scanners and internet-wide scanners.

  • CDN Security

    A content delivery network (CDN) is a large distributed system of servers deployed in multiple data centers across the Internet. Companies use CDNs for online libraries like JQuery. This section analyzes the CDN content to detect possible vulnerabilities

  • Application Security

    We collect the contents of web applications from various Internet-wide scanners and analyze them for application-level weaknesses, such as Cross Site Request Forgery, Cross Content Mixing, and Plain Text Transmission of Sensitive Information. The results are correlated with the MITRE CWE database to detect the severity level of each finding.

  • Email Security

    We collect vulnerabilities related to potential email servers and SMTP misconfigurations like open relay, unauthenticated logins, restricted relay, and SMTP ‘Verify’ vulnerabilities from online services like MxToolbox and eMailSecurityGrader.

  • Leaked Credentials

    There are more than five billion hacked emails/passwords available on the Internet and underground forums. This section shows the leaked or hacked emails and passwords.

  • Social Network

    Hackers publicize their targets or even victims on social networking sites to motivate other hackers to attack the same target. The results are filtered from billions of social media posts.

  • Fraudulent Domains

    Fraudulent domains and subdomains are extracted from the domain registration database. The registered domains’ database holds more than 300M records.

  • Digital Footprint

    A digital footprint is determined by open ports, services, and application banners. This information is gathered from NormShield crawlers, Censys, VirusTotal, Robtext, Alexa, Shodan, and others.

  • Attack Surface

    Attack surface is the technical analysis of open critical ports, out-of-date services, application weaknesses, SSL/TLS strength, and any misconfigurations. This information is gathered from Censys and Shodan databases and service/application versions are correlated with Passive Vulnerability Scan results.

  • Network Security

    This section analyzes network-level problems and detects any critical ports, unprotected network devices, misconfigured firewalls, and service endpoints.

  • Web Raking

    Cisco, Alexa and Majestic track web sites and rank them according to popularity, back-links, and references. This subcategory shows Alexa and Majestic trends, Google Page insight speed test results, as well as Web Content Accessibility Guidelines (WCAG) 2.0 parsing compliance findings.

  • Website Security

    This is a special analysis of a company’s main website. We collect findings related to your SSL/TLS strength, patch management, application security, web ranking and brand monitoring.

The Methodology

Cyber Threat Susceptibility Assessment (CTSA) is a methodology for evaluating the susceptibility of a system to cyber-attack developed by MITRE. CTSA quantitatively assesses a system's inability to resist cyber-attack over a range of cataloged attack Tactics, Techniques, and Procedures (TTPs). CTSA consists of the following steps:


Product Methodology

To generate the scorecard, NormShield needs only the company domain. The engine collects the related information from VirusTotal, Passive DNs servers, web search engines, and other Internet wide scanners as well as NormShield's proprietary databases, which hold more than 10 billion historic items. The engine searches the database in order to find all IP address ranges and domain names that belong to the company. NormShield uses what is called Open Source Intelligence (OSINT) that is shown below to gather information. The following map shows how hackers can leverage their attack vectors by using OSINT resources like hacker forums, social networks, Google, leaked database dumps, paste sites, or even legitimate security services like VirusTotal, Censys, Cymon, Shodan, or Google Safe Browsing.



NormShield compiles this data into a simple, readable report with letter-grade scores to help identify and mitigate potential security risks. It identifies the risks (CVE/CWE), the risk score of the corresponding vulnerabilities/weaknesses (CVSS/CWSS), and attack patterns (CAPEC / FIPS-199 impact level). NormShield also classifies the findings into FISMA Cyber Security Framework Area and Maturity Level, NIST 800-53 Control Family, FIPS-200 Area, NIST 800-37 Process Step. NormShield does all of this without scanning or modifying any of the organization’s business assets.