How We Went From 64 to 96 Points in Two Month
It Started With A Newsletter
A few weeks ago, we received a newsletter from a competitor concerning video conferencing safety and security. The newsletter discussed the importance of security and how customers should carefully select their video conferencing provider. One of the topics was the External Security Posture. This competitor proclaimed in their newsletter that they are leading the embedded video space with a score of 94 points (out of 100). The score was issued by a company called SecurityScorecard.
Because we at Veeting value data privacy and security, we were intrigued by our competitor’s claim and investigated how we scored with SecurityScorecard. We signed up to them and were shocked to see that we scored only 64 points.
SecurityScorecard is a US company aiming to become a global security rating agency, similar to credit rating agencies such as Moody's, S&P Global Ratings and Fitch. Rather than examining the financial health of companies, SecurityScorecard rates the external security posture of companies by scanning servers and IP addresses associated with that company.
Each server associated with a company is then screened against a variety of security criteria they have defined. Finally, a score between 0 and 100 is assigned, similar to financial ratings ranging from D to AAA. SecurityScorecard claims that, on average, the higher the rating the less likely companies are to be impacted by security breaches.
Their primary customer base appears to be enterprises that use a vendor portfolio to monitor their suppliers. These portfolios display overall security scores and identify riskier and less risky suppliers, ultimately assisting them in mitigating their own software security risks.
While we have no doubt that security scorecards and assessments are crucial for every company, at first we felt as though we had been shaken down by mobsters. This is not a service from which software vendors can opt in or out. Achieving and maintaining a high score in accordance with that particular company’s assessment criteria adds to our cost of doing business. We were never asked if we wanted to take part in it nor were we able to evaluate and assess their criteria for functionality. Customers could have added us to their supplier’s scorecard and decided not to do business with us, simply because we were not following what this seemingly arbitrary company thought best.
Fortunately, the free-tier option provided us with sufficient information about the reasons for our initial low score. Furthermore, the extremely helpful representative of SecurityScorecard assisted us in removing servers that were not under our control.
As we dug deeper into the remaining concerns, we gained a better understanding of potentially valid problems we had never considered previously.
The Good News
The good news first: even though our initial score was low, SecurityScorecard did not find critically rated issues on any of our production servers. These servers, which contain user data and facilitate video conferences, are used by our clients. This gave us confidence that our established procedures live up to our standards.
Long Forgotten Servers
SecurityScorecard found a server we had long forgotten about. It was once used for testing purposes and should have been shut down. The scans also found an incorrectly configured firewall associated with an internal project management tool. We were glad to have been informed of these.
Parked Domain Names
To safeguard its trademark, Veeting registers a number of domain names. The majority of these continue to be parked with the registrar. They neither relate to any of our servers nor are they used in any way. Nevertheless, we are in charge of them because they are our domain names.
At this specific registrar, certain DNS entries, such as MX records but not SPF records, are defined by default for parked domain names. In theory, a malicious party may have deceived a recipient into thinking that emails they received were from us because one of these domain names was used as the “from” address. These problems were simple to resolve and helped raise our score.
Weak Ciphers in Connection Offers
SSL and SSH services on all our servers are configured to support strong cryptographic ciphers. However, the servers also supported some weaker ciphers. While we explicitely configure SSL ciphers, the available SSH ciphers were part of the default configuration of the well known and well established Linux operating system that we use. SecurityScorecard reduced our score simply because our operating system offered some weak ciphers among the strong ones.
Developers of web browsers - with security in mind - make sure that browsers always use the best ciphers available to connect securely to a website, even if weaker ciphers are offered. Since we had already received an A+ rating from the well known experts at Qualys SSL Labs, we were surprised that SecurityScorecard expects even stricter configurations. Nevertheless, since we do not support old browsers it was easy to reconfigure our web servers.
Likewise, SSH connections for server maintenance could have used weaker ciphers since they existed alongside the strong ciphers. Mitigating this risk involved changing the default settings of our OpenSSH configuration.
Dethroning the King
Competitions are fantastic because they bring out the best in everyone. Taking up the challenge, we worked diligently on improving our score. Within six weeks we achieved a score of 96 points (as of December 20th, 2022), thereby dethroning the current self-proclaimed leader in the embedded video space.
While we have no relationship with that particular competitor we are glad that they brought up the topic of security and data privacy. Too often, cost is the driving factor for companies choosing a software service as crucial as video conferencing, without much thought being given to hard-to-assess criteria such as security and data privacy. We are glad that European providers are leading this field and remain strong compared to competitors elsewhere. Last but not least, as cyber security is an on-going concern for everyone in the field, the more eyes on the topic and the more tools and insights available, the better we become.