UpGuard Release Notes

We’ve released a new feature for UpGuard Vendor Risk customers called Portfolio Risk Profile. Explore this feature in the UpGuard platform.

It allows you to view the overall risk profile of your vendor portfolio in a single place. For example, you can filter down based on specific risks (e.g. open FTP port) or see all the risks associated with vendors that are labeled as “in-use”.

You can read more about what the Portfolio Risk profile is here, learn how to use its filter functionality here, and learn how to export data here.

In other news, you can now filter Executive Summary Reports across UpGuard Vendor Risk and UpGuard BreachSight.

You can filter by label or score range in the UpGuard Vendor Risk Executive Summary and by label in the UpGuard BreachSight Executive Summary. To apply a filter, click on the “Apply filters” button in the top right-hand corner of your screen.

We’re also investing in our user interface to ensure the UpGuard platform remains consistent, deliberate, and easy to use. Expect more improvements over the next few weeks.

UpGuard Vendor Risk

In summary:

• Released the Portfolio Risk Profile
• Added filtering for UpGuard Vendor Risk Executive Summary
• Improved the UI

UpGuard BreachSight

We’ve improved our typosquatting module. It now checks for permutations based on other top-level domains. For example, if you are monitoring “example.com” we will now return permutations such as “example.net”

In summary:

• Improved typosquatting module
• Added filtering for the UpGuard BreachSight Executive Summary
• Improved the UI

We’ve greatly improved the report export functionality across the UpGuard platform. You can now export your own or a vendor’s risk profile to Excel. The Excel file contains a row for each combination of risk and domain / IP.

You’ll also notice that reports reflect any filters you have in place, such as label-based or score-based filtering. To try this out, log in to the UpGuard platform > go to your Risk Profile > apply a filter > click export.

You’ll see there is an option to apply active filters, as well as to export to PDF or Excel.

Additionally, we’ve made some changes to how we report on and classify domains and IP addresses across both UpGuard Vendor Risk and UpGuard BreachSight:

• When a domain or IP is removed (from a vendor’s infrastructure or your own), you will now see a corresponding event in the “changes” view.
• Domains with open ports are now classified as “active” to better reflect an organizations attack surface. Prior to this, domains with open ports but no website or email configuration were classified as “inactive”.
• Parked domains at several registrars are now considered “inactive”. If you have parked domains that do not appear inactive, please contact UpGuard Support and we can set them as “inactive”.

We also made a small change to our scoring engine. The "HTTP still accessible" check will now fail for domains that respond with a 4xx/5xx HTTP status code over plain HTTP. Previously only sites responding with 200 failed this check.

UpGuard Vendor Risk

We’ve made UpGuard Vendor Risk specific improvements:

• Domains and IPs are now viewable from Risk Assessments. This means when you conduct a risk assessment on a vendor, you can use the list of Domains and IPs monitored by UpGuard, as well as their associated risks, as part of the evidence for that assessment.
• We’ve made some improvements to how we collect fourth-party information for our Concentration Risk and Supply Chain modules. If you would like to know more about these modules, please contact UpGuard Support.

UpGuard BreachSight

We’ve made UpGuard BreachSight specific improvements:

• The Identity Breaches API now includes the data classification for each branch, such as whether it contains passwords, PII, or other sensitive information.
• Vulnerability alerts are now grouped into a single email. This means if you enable email notifications for new CVEs discoveries, we will only send you one email per day that outlines all impacted domains and IPs. You can manage your notifications by clicking here.

We've made some changes to how we are structuring the sidebar in the UpGuard CyberRisk. The Executive Summary is now split into two separate pages:

• UpGuard Vendor Risk Executive Summary
• UpGuard BreachSight Executive Summary

This better reflects the nature of the data contained in each page and ensures there is a consistent separation between UpGuard Vendor Risk and UpGuard BreachSight. Additionally, we've reordered some other menu items to improve usability.

Other product-wide improvements in this release include:

• Deeplinking. If you click an UpGuard link, such as an email notification, and are not logged in, after logging in you will be redirected to the page you were trying to access
• Category scores. We've improved our API and have made category scores available through the Vendor List API endpoint
• Revoked certificate check. This is a new check part of our automated scanning

UpGuard Vendor Risk improvements

We've improved the ability to drill down into specific details on the UpGuard Vendor Risk Executive Summary, you can now:

• See which vendors fall within each score range in Current Risk Ratings Breakdown
• Navigate to the details of a specific vendor in Highest and Lowest Rated Vendors
• See what products your vendors are using in Supply Chain Risk Section

Additionally, we've now:

• Display supported file types on the Documents and Contacts page.
• Have a new app or email notification type for when a Risk Assessment is published. If you would like to receive these notifications, head to the Notifications page.

UpGuard BreachSight improvements

We've improved the UpGuard BreachSight Executive Summary by:

• Allowing you to add up to ten competitors to Competitor Analysis

Additionally, we've made a few small improvements:

• Risk Profile and Risk Waiver pages now fall under UpGuard BreachSight

Over the next week, we'll be rolling out a change to how we display domains and IPs in the UpGuard platform.

Going forward, we will display inactive domains and IPs across your own infrastructure and that of your vendors. We previously only reported on active domains and IP, e.g. ones running a website or with MX records. We track many more domains than what appears in the active section and now provide a way for you to view these.

UpGuard Vendor Risk improvements

We’ve also improved the design and usability of our new Risk Assessment feature, making it easier to create and read risk assessments. As always, if you’d like to try the feature please let us know via support@upguard.com.

And if your account is configured to factor in questionnaire scores into the overall score of a vendor, you will now see a breakdown of the score on their risk profile and vendor summary page.

In short, we now show the total score, questionnaire score, and score based on automated scanning.

UpGuard BreachSight improvements

We’ve added new functionality and data to the Identity breaches module:

• You can now send email notifications to those who are exposed in third-party data breaches. This is a good way to remind staff about the appropriate use of work email accounts, discourage staff from reusing passwords, or to remind people to change their passwords.
• Breaches can now be archived once you have processed them, e.g. once you’ve notified impacted employees.
• Our data set of breaches now includes additional breaches that were discovered by the UpGuard Cyber Research team.

We launched a new feature called Risk Assessment. This feature is currently available on request, if you would like access please email support@upguard.com.

Risk Assessment allows you to:

• Specify the evidence you reviewed as part of the assessment (including questionnaires and automated scan results)
• Document your findings based on this evidence
• Record who conducted the assessment
• Export the assessment as a PDF
• Make the assessment visible within the app to all the users of your account

UpGuard Vendor Risk improvements

We've also released two Pandemic questionnaires designed to help you assess your vendors' readiness to deal with the current pandemic, as well as improved PDF report generation.

When you export information to PDF, it will now appear in the sidebar under a new menu item called "Reports". This also fixes the bug where generating reports for large vendors would sometimes time out.

UpGuard BreachSight improvements

We've added an API that returns information about your company's identity breaches, made it easier to tell which domains and IPs you've added manually, and pushed quite a few bug fixes and minor tweaks.

New Vendor Summary: When you look up a vendor, the first page you see is now a new Vendor Summary. This provides a management-level view of the vendor, and can also be exported as a pdf.

Other improvements

• Enhanced Risk Profile: We’ve made a number of improvements to the Risk Profile page, including the ability to filter by risk category (e.g. website risks, email risks, etc.)
• Websites & APIs is now called Domains and IPs
• Greatly enhanced port scanning: We now explicitly check for nearly 200 services running across thousands of ports. We also report any services that we can’t identify, and any open ports where no services are detected.
• We’ve made some changes to our scoring algorithm: Updated email security checks: this includes a new check for the DMARC policy (which fails if p=none). For information on email security, see https://www.upguard.com/blog/email-security
• Improved checking for open ports/services: As part of enhancing our port scanning capability, we have reviewed and updated the severity of risks associated with open ports/services. The HSTS checks now include a check against the Chromium preload list. If a domain is on the preload list, all HSTS checks pass for that domain and all its subdomainsUpdated domain status checks for .au domains: We no longer check for clientTransferProhibited or serverRenewProhibited on .au domains, as they are not applicable
• Changes to open ports can now be reflected in CyberRisk sooner, by pressing the “RESCAN” button. When a port is closed, manually requesting a rescan of the website will now detect the change to the port sooner (usually within a day).
• WHOIS lookup within Typosquatting: When you view a registered permutation of a domain you are monitoring for typosquatting, you can now see that permutation’s WHOIS information
• New Questionnaires: We have added questionnaires for PCI DSS, CPPA, and Modern Slavery.

• Export Vulnerabilities: You can now export the list of vulnerabilities
• Better domain discovery: We’ve made further improvements to our domain discovery engine, which results in more domains and subdomains being discovered.
• Various usability tweaks and bug fixes

We have released a new questionnaire that is mapped to NIST CSF. To use this questionnaire, you'll first need to enable it from the "Questionnaire Library" section of Vendor Risk. When one of your vendors completes a questionnaire, any risks identified will be mapped to the corresponding CSF control categories.

• Share your security profile: Make it easier for other companies to assess your cybersecurity posture by proactively publishing security-related information including questionnaire responses and other security documents. Control who has access to these documents, and see who has viewed them. Invite companies to view your Shared Profile when they are assessing you, and spend less time completing security questionnaires. Contact UpGuard Support to enable your Shared Profile.
• Export questionnaires: Download completed questionnaires as pdfs.
• Questionnaire workflow improvements: When you receive a completed questionnaire, mark it as “in review” to keep track of who in your team is reviewing which questionnaire response.
• API enhancements: Data leaks are now available through the API. See the API documentation for more details.
• Various bug fixes

• Executive Summary Report: We’ve created a new report to provide a summary of your own cybersecurity posture, and that of your vendors. We’ll be activating it for existing customers over the next week or so.  As part of this change you’ll notice the “Dashboard” page has been replaced with two new pages - the "Executive Summary", and a dedicated “Notifications” page.
• Enhanced file upload feature for questionnaires: When providing evidence as part of responding to a security questionnaire, you can now point to a file that you've already uploaded. This allows the same file to be referenced as evidence for multiple questions without having to upload multiple copies of it.
• Various bug fixes, including some display issues related to the Microsoft Edge browser.

• You can now receive notifications when your company's score drops below a certain threshold, or by a certain number of points.  To opt in and out of these notifications, use the "manage notifications" link on the dashboard page. To customise the set notifications available to users in your account, go to Account Settings -> Notifications (admin users only).
• The Insecure SSL/TLS Versions check now fails for TLSv1.1, in addition to SSLv2, SSLv3, and TLSv1.0. See RFC 7525 for more detail on why TLSv1.1 should be disabled.
• We fixed a bug where for some websites we would incorrectly report old versions of TLS as being available.
• We improved the way we display vendors who's primary domain does not have a website running on it.

• WordPress scanning: Whenever we detect that a site uses WordPress, we now run a series of additional security checks. These checks identify configuration problems that leave WordPress sites vulnerable to attack.
• Supply Chain Concentration Risk (beta):  We have launched a beta of a new feature which highlights where companies in your supply chain (e.g. your vendors) rely on common underlying technology (e.g. hosting providers, email providers).  Contact UpGuard Support if you would like early access to this feature.
• The character limit for messages you include when sending questionnaires has been increased from 300 to 1000
• Various bug fixes