Service Risk Management
Services are assessed for how vulnerable they are to outside attack. To do so, Skyhigh CASB evaluates parameters such as IP filtering, malicious misuse, and preventive measures taken against cross-site request forgery (CSRF), cross-site scripting (XSS) attacks, and other common security threats.
Service Risk Attributes
The Service Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Development Practices | Penetration Testing for Service | Does the vendor perform penetration testing regularly to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities? | 10 - Clean reputable recent 20 - Routine 30 - Recent 40 - Reputable recent with issue 70 - Not publicly known 80 - None |
| Authentication | IP Filtering Support | Does the cloud service provider support IP allow list blocks to restrict access to the enterprise tenant from unauthorized IP address spaces? | 10 - Yes 30 - Not publicly known 60 - No |
| Threat & Vulnerability Management | Known Malicious Misuse of Service | Has the cloud service provider had a public disclosure of malware hosted on its site or been labeled as a known dropzone for malicious code within the given time frame? | 10 - Not publicly known 20 - Greater than 1 year 50 - Less than 1 year 70 - Less than 3 months 80 - Less than 1 month |
| Security | Breach Identified for Service | Has the cloud service provider had a public disclosure of breach for its service within the given time frame? | 10 - Not publicly known 20 - Greater than 1 year 50 - Less than 1 year 70 - Less than 3 months 80 - Less than 1 month |
| Security | Published CVE Vulnerability |
Does the service have a known and published Common Vulnerabilities and Exposures (CVE) vulnerability? Yes displays the CVE ID number. |
10 - No 30 - Possible 80 - Yes |
| Security | Security Incident Notification | Does the service incorporate timely notification of a security incident, malicious events or breach to all customers and stakeholders when such events are identified? |
10 - Less than 1 day |
| Web Application Security | Application Security Vulnerability Protection | Does the cloud service supports Web Application Firewall (WAF) to protect organization internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to the existing infrastructure? | 10 - Yes 40 - Not publicly known 70 - No |
| Web Application Security | WAF Detection Mode | What are the WAF detection modes being used by the provider? |
10 - Blocking
|
| HTTP Header Security | Content Security Policy | Content Security Policy (CSP) is a computer security standard that provides an added layer of protection against Cross-Site Scripting (XSS), clickjacking, and other code injection attacks that rely on executing malicious content in the context of a trusted web page. |
10 - Strong |
| HTTP Header Security | Strict Transport Policy | This attribute informs that the website should be always loaded with HTTPS only. | 10 - Sub-Domains/Preload 20 - Yes 80 - No |
| HTTP Header Security | X-Content Type Options | This response header for Service prevents "mime" based attacks. | 10 - Yes 80 - No |
| HTTP Header Security | X-XSS-Protection | This response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. | 10 - Yes (Block Mode /Report User) 30 - Yes 80 - No |
| HTTP Header Security | X-Frame Options | This response header provides clickjacking protection. | 10 - Deny 30 - Same Origin 80 - No |
| HTTP Header Security | X-Permitted-Cross-Domain-Policies | A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. | 10 - None 50 - By Type 30 - Primary Only 80 - No 70 - All |
| Encryption | Server Wildcard Certificate | Does the service support wildcard certificates? |
40 - Not publicly known |
| Encryption | Server Certificate Validation Method | What is the validation method used for an SSL certificate? | 60 - Not publicly known 30 - Extended Validation 40 - Organization Validation 50 - Domain Validation |
| Encryption | OCSP Validation Result | What is the Revocation status of the service certificate? | 40 - Not publicly known 70 - Revoked 10 - Good |
| Encryption | SSL Session Reuse | Does the service support SSL session reuse? | 40 -Not publicly known 70 - No 10 - Yes |
| Encryption | Negotiated Ciphers | Does the service negotiate with any Insecure/Weak Ciphers during communication? | 40 -Not publicly known 70 - No 10 - Yes |
Deprecated Attributes
The attribute Source of Leak for Darknet has been deprecated by the third-party service that created it. Skyhigh CASB has distributed the corresponding weight of the former attribute among the following attributes:
- Known Malicious Misuse of Service
- Breach Identified for Service
- Application Security Vulnerability Protection