UpGuard has made a significant improvement to our scoring algorithm. This change may reduce your and your vendors’ security ratings.
This article explains what these improvements are, why we made them, and what actions you should take to respond to these changes.
These improvements came into effect on October 5th, 2020 UpGuard’s security rating algorithm. The improvements:
- Weight lower scores more heavily
- Place greater emphasis on network security issues
These changes will result in score reductions of approximately 20 to 30 points across our ecosystem. There will be no impact on scores generated via security questionnaires.
Why we are making these improvements
UpGuard has invested in its industry-leading security ratings technology since 2017. We have dedicated enormous resources to improving the accuracy of our algorithms and building tools to better-protect UpGuard customers. From time to time, this required us to adjust our scoring algorithm to include new information gleaned from industry trends, research, and customer feedback.
This is the first major change to our scoring algorithm since its inception. Here’s why these changes are beneficial:
- Weighting lower scores more heavily: Ensures poor security on an individual domain or IP address is not “averaged out” by otherwise good security across an organization’s infrastructure. An organization is only as secure as its weakest link.
- Placing a greater emphasis on network security issues: Open ports, while not dangerous on their own, often expose vulnerable services. A great example of this risk is WannaCry, a ransomware cryptoworm that infected more than 300,000 computers by exploiting a zero-day in old versions of a network protocol called SMB. WannaCry was so successful because the SMB port is open by default on many legacy Windows machines.
How you will know the improvements have come into effect
When we released the improvements to our scoring algorithm on October 5th, 2020, it took roughly 24 hours for it to cascade across our ecosystem.
Once the improvements have cascaded, you will see a line that indicates the change has occurred in the security rating graphs inside the UpGuard platform.
How you should respond to these changes
Here’s how you can improve your score in response to these improvements:
- Focus on low scoring domains first: Find your lowest scoring domains using the Domains & IPs section of UpGuard BreachSight. Once there, click on the “Score” header until the arrow points ↑. This sorts your domains from lowest to highest score, allowing you to focus on the highest risks first. Alternatively, if a domain is no longer in use you can decommission it, which will result in it being classified as inactive and not included in your score.
- Close unnecessary open ports: To find open ports, we recommend using the Risk Profile and filtering by category “Network Security”. The risk details table will display any unnecessary open ports and their severity. This allows you to focus on the open ports that pose the highest risk (and have the largest impact on your score).
We hope these improvements make our commitment to making the Internet safer even clearer. If you have any questions or feedback, please don’t hesitate to reach out.