Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

User Behavior

User Behavior

Section titled “User Behavior”

5 automated security scanners

Phishing Susceptibility

Section titled “Phishing Susceptibility”

Purpose: The Phishing Susceptibility Scanner evaluates user behavior and organizational policies to identify high click rates on phishing emails, low reporting rates of suspicious activities, and overall awareness levels regarding phishing threats. This helps in assessing the organization’s vulnerability to phishing attacks.

What It Detects:

  • Click Rates on Phishing Emails: Identifies patterns indicating frequent clicks on phishing links by analyzing user interaction data from email logs or security reports.
  • Reporting Rates of Suspicious Activities: Detects low reporting rates of suspicious emails or activities by examining incident response logs and user feedback mechanisms.
  • Awareness Levels Through Policy Indicators: Searches for specific policy indicators related to phishing awareness in company documentation using regex patterns such as “security policy,” “incident response,” “data protection,” and “access control.”
  • Maturity of Security Practices: Evaluates the maturity of security practices by identifying compliance certifications and security assessments, looking for indicators like SOC 2, ISO 27001, penetration testing, and vulnerability scanning.
  • Trust Center Information: Analyzes trust center information to assess transparency and proactive measures against phishing, checking for detailed breach disclosure statements and remediation actions.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps organizations understand their susceptibility to phishing attacks, which can directly impact the security and reputation of a company. By identifying areas where users are susceptible to phishing emails and improving reporting mechanisms, the organization can take proactive steps to enhance its overall security posture against phishing threats.

Risk Levels:

  • Critical: The scanner would flag conditions that indicate severe vulnerabilities in the organization’s ability to detect and respond to phishing attacks, potentially leading to significant data breaches or other critical security incidents.
  • High: The scanner would identify high-risk behaviors such as widespread clicking of suspicious links or inadequate reporting mechanisms for potential threats, which could lead to substantial financial losses or reputational damage if exploited by attackers.
  • Medium: The scanner might flag conditions that suggest moderate risks, such as some users being more susceptible to phishing emails or limited awareness about security policies related to phishing. These issues require attention but are less severe than critical vulnerabilities.
  • Low: Informational findings from the scanner would include aspects of user behavior and company documentation that show minimal risk or no immediate concerns regarding phishing susceptibility.

Example Findings:

  1. The organization has experienced multiple users clicking on suspicious links in recent phishing emails, indicating a high susceptibility to such attacks.
  2. There is a lack of detailed security policies specifically addressing phishing awareness among employees, which could be improved for better protection against these threats.

Insider Threat Detection

Section titled “Insider Threat Detection”

Purpose: The Insider Threat Detection Scanner is designed to identify unusual data access patterns and off-hours activity that may indicate potential insider threats within an organization. This tool helps in identifying security breaches caused by insiders who might be misusing their access privileges, ensuring the protection of sensitive information and organizational assets.

What It Detects:

  • Unusual Data Access Patterns: Identifies frequent or excessive data access requests outside of normal business hours, as well as patterns where a user accesses a large volume of sensitive data in a short period.
  • Off-Hours Activity: Monitors and flags activities that occur during non-working hours, which could be indicative of unauthorized access or malicious intent. This includes monitoring login attempts and data transfers outside standard business hours.
  • Suspicious Access Requests: Detects repeated failed login attempts from the same user or IP address, as well as users accessing data they do not typically handle or have no legitimate reason to access.
  • Anomalous User Behavior: Tracks deviations in user behavior, such as changes in typical usage patterns or access locations, and flags activities that deviate significantly from historical norms.
  • Potential Data Exfiltration Attempts: Monitors data transfer volumes and identifies unusually large data transfers that may indicate exfiltration attempts, including unusual outbound traffic to external servers or cloud services.

Inputs Required:

  • domain (string): The primary domain to analyze, such as “acme.com,” which helps in identifying potential threats within the organization’s network.
  • company_name (string): The company name for statement searching, used to contextualize the data access patterns and behavior being monitored.

Business Impact: This scanner is crucial for maintaining the integrity and security of an organization’s sensitive information. By detecting potential insider threats early on, organizations can mitigate risks associated with unauthorized access and protect their valuable assets from internal breaches.

Risk Levels:

  • Critical: Conditions that could lead to immediate data exposure or significant organizational damage, such as large-scale data exfiltration or critical infrastructure compromise.
  • High: Conditions that pose a high risk of sensitive information leakage or unauthorized access to critical systems, including off-hours activities and unusual data access patterns from known insiders.
  • Medium: Conditions that may indicate potential insider threats but do not necessarily lead to immediate exposure, such as infrequent access to sensitive data during non-working hours.
  • Low: Informal findings or conditions that are generally within expected behavior, unless there is evidence of suspicious activity or deviation from norms.
  • Info: Non-critical issues that provide supplementary information but do not directly impact security posture significantly.

Example Findings:

  • “User ‘jdoe’ accessed sensitive data outside of normal business hours, raising concerns about potential unauthorized access.”
  • “Multiple failed login attempts detected from user ‘asmith’ at 3 AM, indicating possible account compromise or malicious intent.”

Security Awareness Effectiveness

Section titled “Security Awareness Effectiveness”

Purpose: The Security Awareness Effectiveness Scanner evaluates the effectiveness of a company’s security awareness program by assessing knowledge retention, behavior change, and reporting culture through internal documentation and publicly available policies.

What It Detects:

  • Identifies the presence of key security policy documents such as “security policy,” “incident response,” “data protection,” and “access control.”
  • Detects certifications and practices indicating security maturity, including SOC 2, ISO 27001, penetration testing, and vulnerability scanning.
  • Analyzes internal assessments to determine if employees retain essential security knowledge through questionnaires and evaluations.
  • Evaluates changes in user behavior post-training or awareness campaigns by reviewing policy reviews and manual evaluations.
  • Assesses the company’s reporting culture by examining how incidents are reported and handled internally, ensuring a proactive approach to security issues.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial for organizations looking to enhance the effectiveness of their security awareness programs, ensuring compliance with industry standards and improving overall security posture by identifying gaps in policy implementation and employee knowledge retention.

Risk Levels:

  • Critical: The presence of critical vulnerabilities or lack of essential security policies that directly impact the organization’s ability to protect sensitive information.
  • High: Inadequate or missing key security policies, which may lead to significant risks if exploited by external threats.
  • Medium: Partial compliance with security practices or gaps in awareness training and inadequate incident reporting mechanisms.
  • Low: Minimal issues that do not significantly impact the organization’s security posture but can be improved for better protection.
  • Info: Informal or non-critical findings that provide general insights into the company’s security practices without immediate risk.

Example Findings:

  • The absence of a comprehensive “security policy” document, which is critical for guiding employee behavior and incident response.
  • Incomplete SOC 2 certification, indicating potential gaps in handling sensitive information securely.

Shadow IT Detection

Section titled “Shadow IT Detection”

Purpose: The Shadow IT Detection Scanner is designed to identify unauthorized cloud services and personal device usage within an organization by analyzing DNS queries, HTTP requests, TLS/SSL configurations, and network port activity. This tool helps in mitigating the risks associated with shadow IT, which can lead to data breaches and compliance issues.

What It Detects:

  • Unauthorized Cloud Services:
    • Detects unauthorized cloud service providers through DNS TXT records.
    • Identifies suspicious MX (Mail Exchange) records pointing to external services.
    • Scans for CAA (Certification Authority Authorization) records that may indicate unauthorized certificates.
  • Personal Device Usage:
    • Analyzes HTTP requests for security headers indicating personal device usage.
    • Checks for redirects and content patterns that suggest use of unmanaged devices.
    • Inspects TLS/SSL certificates for anomalies that could indicate personal device connections.
  • DNS Record Anomalies:
    • Scans DNS records for SPF (Sender Policy Framework) configurations that may allow unauthorized email sending.
    • Examines DMARC (Domain-based Message Authentication, Reporting & Conformance) policies to detect misconfigurations.
    • Looks for DKIM (DomainKeys Identified Mail) records indicating potential misuse.
  • TLS/SSL Vulnerabilities:
    • Identifies outdated TLS versions such as TLSv1.0 and TLSv1.1.
    • Detects weak cipher suites like RC4, DES, and MD5 in SSL/TLS configurations.
    • Checks for protocol version mismatches that could indicate security weaknesses.
  • Network Port Activity:
    • Performs port scanning to identify unauthorized open ports.
    • Conducts service fingerprinting to detect services running on non-standard ports.
    • Analyzes socket connections for unusual or unauthorized network activity.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial as it helps in identifying and mitigating the risks associated with shadow IT, which can lead to significant security breaches and compliance issues. It ensures that only authorized cloud services and devices are used within an organization’s network, thereby safeguarding sensitive data and maintaining regulatory compliance.

Risk Levels:

  • Critical: Conditions where unauthorized cloud service usage is detected through DNS TXT records or misconfigured DMARC policies could lead to immediate security threats such as data breaches.
  • High: Misuse of personal devices for business operations, indicated by HTTP requests with weak security headers or TLS configurations that do not meet industry standards, can significantly impact the integrity and confidentiality of organizational data.
  • Medium: Detection of outdated TLS versions or use of weak cipher suites might indicate potential vulnerabilities but does not pose an immediate critical risk.
  • Low: Minor deviations in DNS records such as SPF misconfigurations are generally less risky but still need attention to maintain overall security posture.
  • Info: Informational findings like minor anomalies in HTTP headers could be indicative of non-critical personal device usage but do not directly affect the core security risks.

Example Findings:

  1. A DNS TXT record indicating an unauthorized cloud service provider, which might bypass corporate policies and expose sensitive data to external threats.
  2. TLS/SSL configuration showing use of outdated TLS version (TLSv1.0) and weak cipher suite (RC4), which could be exploited by attackers for data interception.

Privileged User Monitoring

Section titled “Privileged User Monitoring”

Purpose: The Privileged User Monitoring Scanner is designed to detect unusual behavior and admin activity monitoring within an organization, aiming to identify potential security threats or policy violations by privileged users.

What It Detects:

  • Identifies instances where admin actions are not logged or are inadequately documented, highlighting gaps in logging mechanisms that could allow unauthorized activities to go unnoticed.
  • Detects deviations from normal access patterns by privileged users, such as accessing sensitive data outside of regular working hours or from unusual locations, and flags repeated failed login attempts and lockouts associated with admin accounts.
  • Verifies that privileged user activities comply with established security policies and procedures, identifying instances where policy violations occur, including unauthorized access to restricted systems or data.
  • Evaluates the effectiveness of incident response plans in handling incidents involving privileged users, checking for evidence of timely detection, containment, eradication, recovery, and communication during simulated or actual security incidents.
  • Analyzes user behavior to identify anomalies that may indicate malicious intent or insider threats, utilizing machine learning techniques to detect subtle changes in behavior that could signal a security risk.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps in maintaining a robust security posture by proactively monitoring and detecting potential threats posed by privileged users, ensuring compliance with established policies, and enhancing the overall resilience of an organization against insider threats and unauthorized activities.

Risk Levels:

  • Critical: Conditions that could lead to immediate and severe impacts on security, such as unlogged admin actions or significant policy violations that bypass critical security measures.
  • High: Situations where privileged users access sensitive data outside normal working hours or from unauthorized locations, indicating a potential breach of security protocols.
  • Medium: Non-compliance with certain aspects of the security policy, which might lead to gradual degradation in security posture over time if not addressed promptly.
  • Low: Minimal compliance issues that do not significantly impact overall security but should still be monitored for trends or potential escalations.
  • Info: Informal findings related to minor deviations from standard practices that are generally non-threatening but could indicate evolving user behavior patterns requiring further investigation.

If specific risk levels are not detailed in the README, these inferred levels serve as a general guide based on the scanner’s purpose and potential impacts.

Example Findings: The scanner might flag instances where privileged users access proprietary financial data during after-hours or from an unusual IP address range, indicating unauthorized access attempts that could be indicative of insider threats. Additionally, it might detect inadequate logging mechanisms for critical admin activities, posing a significant risk if such actions were to remain undetected.