Cooperativa Central de Crédito

Ailos Group

Company
Overview Report

780
SECURITY RATING

Date Created BitSight Technologies Inc.

2022-06-20 https://www.bitsight.com/
 Company Overview 1 of 36

TABLE OF CONTENTS

Compromised Systems

A Botnet Infections
A Spam Propagation

A Malware Servers

A Unsolicited Communications

A Potentially Exploited

Diligence

A SPF
A DKIM
A SSL Certificates

A SSL Configurations
A Open Ports

D Web Application Headers

C Patching Cadence
A Insecure Systems

A Server Software
N/A Desktop Software

N/A Mobile Software

C DNSSEC*
N/A Mobile Application Security*
This report was created for
N/A Domain Squatting**
Cooperativa Central de Crédito Ailos
Group, by BitSight Technologies. It is User Behavior
a snapshot of the company’s
A File Sharing
BitSight Security Rating
performance during the past year, as N/A Exposed Credentials**

of 18 June 2022.
Public Disclosures

A Security Incidents

N/A Other Disclosures*

* Risk Vector does not currently affect Security Ratings

** Informational risk vector (will never affect Security Ratings)

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 2 of 36

BitSight Security Rating Company Info

780 ADVANCED
Subscription Insureds

Monitored by 1 company

Homepage ailos.coop.br

Industry Finance

IP addresses 165

Searched by 30 users

Company ID Unassigned

Security Ratings

780 740
Highest on 18 Jun 2022 Lowest on 18 Oct 2021

850

800

700

600

500

400

300

JUL 2021 SEP 2021 NOV 2021 JAN 2022 MAR 2022 MAY 2022

Finance Industry Range

BASIC 250-630 INTERMEDIATE 640-730 ADVANCED 740-900

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 3 of 36

Compromised Systems
Compromised Systems are devices or Compromised Systems are evaluated For example, an organization could have
machines in an organization’s network based on the number and type of malware, an "F" for botnet infections, if they either
that show symptoms of malicious or the severity, and the duration. For each risk had many botnets in a short period, or a
unwanted software. These compromises vector, an overall letter grade is calculated few persistent botnets over months.
can disrupt daily business operations and from evaluations of each instance of
can increase an organization’s risk of compromise.
breach.

Botnet Infections Spam Propagation Malware Servers Unsolicited Communications Potentially Exploited

Number of Events
0

Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 4 of 36

Top 10%

Botnet Infections Event Counts over past year

No data to compare with the Finance industry.
Botnet Infection events indicate that
devices on a company’s network were
observed participating in botnets as Cooperativa Central de
​
0
​C rédito Ailos Group
either bots or Command and Control
servers. Botnets can be used to exfiltrate
corporate secrets and sensitive customer
Finance Industry ​88
88
information, repurpose company
resources for illegal activities, and serve
as conduits for other infections. 0 20 40 60 80 100

Remediation Suggestions
Conduct a thorough security review of Average Days to resolve events over past year
the machine (malware & antivirus
No data to compare with the Finance industry to resolve events.
sweep).
Review services used on the machine,
harden firewall rules. Cooperativa Central de
​0.0
0.0
Improve employee computer safety ​C rédito Ailos Group
training (phishing, installing unapproved
software).
Finance Industry ​3.3
3.3

0 1 2 3 4

Top Findings

Identifier First Seen Last Seen Duration Severity Details

There are no findings currently affecting this risk vector.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 5 of 36

Top 10%

Spam Propagation Event Counts over past year

No data to compare with the Finance industry.
Spam Propagation events are observed
when devices on a company’s network
are sending unsolicited commercial or Cooperativa Central de
​
0
​C rédito Ailos Group
bulk email. This type of activity can
damage a company’s reputation and
cause legitimate company email to be
Finance Industry ​
1
caught in spam filters.

Remediation Suggestions 0 0.25 0.5 0.75 1 1.25

Track down infections and conduct a

thorough security review of the machine
(malware & antivirus sweep). Average Days to resolve events over past year
Review services used on the machine,
No data to compare with the Finance industry to resolve events.
harden firewall rules.
Improve employee computer safety
training (phishing, installing unapproved Cooperativa Central de
​0.0
0.0
software). ​C rédito Ailos Group

Finance Industry ​2.1

2.1

0 0.5 1 1.5 2 2.5

Top Findings

Identifier First Seen Last Seen Duration Severity Details

There are no findings currently affecting this risk vector.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 6 of 36

Top 10%

Malware Servers Event Counts over past year

No data to compare with the Finance industry.
Malware Server events occur when
servers are observed engaging in
malicious activity, such as hosting Cooperativa Central de
​
0
​C rédito Ailos Group
phishing, fraud or scam sites.
Compromised servers can put employees
and customers at risk by infecting
Finance Industry ​
3
devices that connect to company
resources.
0 1 2 3 4
Remediation Suggestions

Track down infections and conduct a

thorough security review of the machine Average Days to resolve events over past year
(malware & antivirus sweep).
No data to compare with the Finance industry to resolve events.
Review services used on the machine,
harden firewall rules.
Improve employee computer safety Cooperativa Central de
​0.0
0.0
training (phishing, installing unapproved ​C rédito Ailos Group
software).

Finance Industry ​1.6

1.6

0 0.25 0.5 0.75 1 1.25 1.5 1.75

Top Findings

Identifier First Seen Last Seen Duration Severity Details

There are no findings currently affecting this risk vector.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 7 of 36

Top 10%

Unsolicited Communications Event Counts over past year

No data to compare with the Finance industry.
Unsolicited Communications events
occur when devices attempt to
communicate with servers that are not Cooperativa Central de
​
0
hosting any useful services. This type of ​C rédito Ailos Group

activity not only shows that a device is

compromised, but that it is actively
Finance Industry ​
3
seeking other devices to infect.

Remediation Suggestions 0 1 2 3 4

Track down infections and conduct a

thorough security review of the machine
(malware & antivirus sweep). Average Days to resolve events over past year
Review services used on the machine,
No data to compare with the Finance industry to resolve events.
harden firewall rules.
Improve employee computer safety
training (phishing, installing unapproved Cooperativa Central de
​0.0
0.0
software). ​C rédito Ailos Group

Finance Industry ​4.2

4.2

0 1 2 3 4 5

Top Findings

Identifier First Seen Last Seen Duration Severity Details

There are no findings currently affecting this risk vector.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 8 of 36

Top 10%

Potentially Exploited Event Counts over past year

No data to compare with the Finance industry.
Potentially Exploited events occur when
browsers on a company’s network are
infected with malware that is altering the Cooperativa Central de
​
0
user’s experience, such as adware. These ​C rédito Ailos Group

events are often indicative of other

infections.
Finance Industry ​100
100
Remediation Suggestions
0 25 50 75 100 125
Track down infections and conduct a
thorough security review of the machine
(malware & antivirus sweep).
Review services used on the machine, Average Days to resolve events over past year
harden firewall rules.
No data to compare with the Finance industry to resolve events.
Improve employee computer safety
training (phishing, installing unapproved
software). Cooperativa Central de
​0.0
0.0
​C rédito Ailos Group

Finance Industry ​4.3

4.3

0 1 2 3 4 5

Top Findings

Identifier First Seen Last Seen Duration Severity Details

There are no findings currently affecting this risk vector.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 9 of 36

Diligence
Diligence risk vectors show steps a Neutral. Records are assessed using grade would be an “A”. Likewise, if none of
company has taken to prevent attacks. industry-standard criteria. For each the three domains have SPF records, their
BitSight currently evaluates SPF, DKIM, diligence risk vector, an overall letter grade overall SPF grade would be an “F”.
TLS/SSL, Open Port and DNSSEC is calculated using the evaluations of each
Records older than 60 days will not affect
information in assessing a company’s individual record.
a company’s Security Rating.
security diligence.
For example, if a company has three
All diligence records are evaluated as one domains, and each of them has an
of the following: Good, Fair, Warn, Bad or effective SPF record, their overall SPF

Good Fair Warn Bad Neutral

250

200

Number of records
150

100

50

0
Dec 2021 Jan 2022 Feb 2022 Mar 2022 Apr 2022 May 2022 Current

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 10 of 36

Top 10%

SPF Domains Grade Distribution: 55 records

Properly configured SPF records help 75

ensure that only authorized hosts can
send email on behalf of a company by
​100.0%
100.0%
providing receiving mail servers the

Record count
50
information they need to reject mail sent
by unauthorized hosts. BitSight verifies
that a company has SPF records on all
domains that are sending or have 25
attempted to send email, and that they
are configured in a way that helps
prevent email spoofing.
0
Good Fair Warn Bad Neutral

Remediation Suggestions
Create an SPF record. and conduct a Check for common mistakes in your configured to send mail. If a company
thorough security review of the machine SPF record. does not intend to send mail from a
(malware & antivirus sweep). All domains should have SPF records, domain, an attacker can still use that
even SMTP servers and those that aren’t domain to spoof email.

Identifier First Seen Last Seen Grade Severity Details

cecred.com.br 2021-05-12 2022-06-18 GOOD Minor

civia.coop.br 2021-07-17 2022-06-18 GOOD Minor

acredi.coop.br 2021-07-17 2022-06-18 GOOD Minor

evolua.coop.br 2021-07-17 2022-06-18 GOOD Minor

credcrea.com.br 2021-05-12 2022-06-18 GOOD Minor

credelesc.com.br 2021-05-12 2022-06-18 GOOD Minor

credicomin.com.br 2021-05-12 2022-06-18 GOOD Minor

ailoscartoes.com.br 2021-05-12 2022-06-18 GOOD Minor

rodocredito.coop.br 2021-05-12 2022-06-18 GOOD Minor

transpocred.coop.br 2021-07-17 2022-06-18 GOOD Minor

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 11 of 36

Top 10%

DKIM Records Grade Distribution: 4 records

Properly configured DKIM records can 6

help ensure that only authorized hosts
can send email on the behalf of a
company. BitSight verifies that a ​100.0%
100.0%

Record count
4
company uses DKIM and has configured
it in a way that prevents email spoofing.

0
Good Fair Warn Bad Neutral

Remediation Suggestions

Search for Diligence records and then Generate a new RSA keypair, specifying Refer to the recommended key rotation
implement an effective DKIM record if one a bit strength of 2048 or larger. For elliptic for how often to generate a new RSA
does not already exist. Please see our curve keys, a length of 224 bits is keypair.
comprehensive article on How to create a recommended. Refer to the recommended Check that your keys are properly
DKIM record. key length. We follow NIST stored and the DKIM record has the correct
recommendations regarding key length. key.

Identifier First Seen Last Seen Grade Severity Details

selector1._domainke
2022-06-17 2022-06-17 GOOD Minor
y.unilos.coop.br

selector1._domainke
2022-06-17 2022-06-17 GOOD Minor
y.transpocred.coop.br

selector1._domainke
2022-02-11 2022-06-08 GOOD Minor
y.ailos.coop.br

11dkim1._domainke
y.sistemaailos.coop. 2022-05-18 2022-05-18 GOOD Minor
br

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 12 of 36

Top 10%

TLS/SSL Certificates Grade Distribution: 26 records

TLS/SSL certificates are used to encrypt 30

traffic over the Internet. BitSight analyzes ​100.0%
100.0%
TLS/SSL certificates and provides
information about their effectiveness.

Record count
20
Certificates are responsible for verifying
the authenticity of your company servers
to your associates, clients, and guests,
and serve as the basis for establishing 10
cryptographic trust.

Remediation Suggestions
0
Review the Certificate Authority Best Good Fair Warn Bad Neutral
Practices and implement effective
TLS/SSL certificates.
Obtain valid and up-to-date TLS
certificates from an industry certificate
authority.
Select a stronger signature algorithm
(like SHA-256).

Identifier First Seen Last Seen Grade Severity Details

www.dev.integra.ailo
2022-02-02 2022-06-18 GOOD Minor
s.coop.br

acessoaconta.viacre
2021-08-26 2022-06-18 GOOD Minor Large number of DNS Names: 37
dialtovale.coop.br

apimobile.ailos.coop.
2021-09-08 2022-06-18 GOOD Minor
br

*.cecred.coop.br 2021-08-19 2022-06-18 GOOD Minor

www.ailosconfigmgr
2022-04-07 2022-06-18 GOOD Minor
cmg.ailos.coop.br

www.acredi.coop.br 2021-08-28 2022-06-18 GOOD Minor Large number of DNS Names: 30

www.progrid.com.br 2022-05-31 2022-06-18 GOOD Minor Large number of DNS Names: 98

autodiscover.ailos.co
2021-09-01 2022-06-18 GOOD Minor
op.br

vpn.evolua.coop.br 2021-12-13 2022-06-18 GOOD Minor

view.sistemaailos.co
2022-04-29 2022-06-17 GOOD Minor
op.br

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 13 of 36

Top 10%

TLS/SSL Configurations Grade Distribution: 89 records

Evaluates TLS/SSL server configurations, 75

which includes whether a company's
servers have correctly configured security ​64.0%
64.0%
protocol libraries, and support strong

Record count
50
encryption standards when making
encrypted connections to other
machines. Incorrect or weak
​28.1%
28.1%
configurations may make servers 25
vulnerable to certain attacks (POODLE,
Heartbleed). ​7.9%
7.9%

0
Good Fair Warn Bad Neutral

Remediation Suggestions
Update and keep server Refer to the TLS 1.0 and 1.1 deprecation Regenerate Diffie-Hellman primes to be
implementations of TLS/SSL (OpenSSL, schedule to see how this risk vector will be 2048 bits.
LibreSSL, etc); latest versions are patched affected. Disable SSL v2, SSL v3, TLS 1.0, Refer to the Guide to Deploying Diffie-
against known vulnerabilities and they and TLS 1.1. Migrate to a minimum of TLS Hellman for TLS to configure TLS securely.
have countermeasures for other attacks. 1.2. Migrating to a later version (TLS 1.2 or
TLS 1.3) is strongly encouraged.

Identifier First Seen Last Seen Grade Severity Details

www.acredi.coop.br: Missing intermediate certificates or

2022-06-17 2022-06-18 WARN Moderate
443 untrusted root anchor

vpn.evolua.coop.br:4 Certificate with non-standard root

2022-03-06 2022-06-18 BAD Severe
43 Certificate Name Mismatch

www.credifoz.coop.b Missing intermediate certificates or

2022-06-18 2022-06-18 WARN Moderate
r:443 untrusted root anchor

www.credicomin.coo Missing intermediate certificates or

2022-05-03 2022-06-18 WARN Moderate
p.br:443 untrusted root anchor

www.viacredialtoval Missing intermediate certificates or

2022-06-17 2022-06-18 WARN Moderate
e.coop.br:443 untrusted root anchor

189.125.69.221:443 2022-01-29 2022-06-18 GOOD Minor

200.169.164.29:443 2022-01-20 2022-06-18 GOOD Minor

189.125.69.203:443 2021-03-28 2022-06-18 GOOD Minor

189.125.69.217:443 2022-06-01 2022-06-18 GOOD Minor

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 14 of 36

200.169.164.22:443 2022-01-27 2022-06-18 GOOD Minor

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 15 of 36

Top 10%

Open Ports Grade Distribution: 117 records

Open Ports shows which port numbers 75

and services are exposed to the Internet.
​52.1%
52.1%
Certain ports must be open to support ​47.9%
47.9%
normal business functions; however,

Record count
50
unnecessary open ports provide ways for
attackers to access a company’s network.

25

0
Good Fair Warn Bad Neutral

Remediation Suggestions

Embedded in every packet of network Audit the services running on a network infrastructure. The port number is
communication is the port number for that particular machine and ensure only vital embedded in every packet of network
communication, which can be used to services are running. communication, which can be used for
identify and block unwanted attempts to Set up access to required services over port identification. View the full list of
communicate over certain ports or ranges a Virtual Private Network (VPN). network ports in the IANA Service Name
of ports not used by the company. Close Block specific or ranges of ports not and Transport Protocol Port Number
unnecessary open ports. used by the company in the company edge Registry.

Identifier First Seen Last Seen Grade Severity Details

200.186.45.94:53 2021-03-31 2022-06-18 NEUTRAL Minor Detected service: DNS

189.125.69.221:443 2021-04-02 2022-06-18 GOOD Minor Detected service: HTTPS

Detected service: HTTP (potential ROBOT

200.169.164.29:80 2021-04-02 2022-06-18 NEUTRAL Minor
vulnerability)

200.169.164.29:443 2021-03-27 2022-06-18 GOOD Minor Detected service: HTTPS

Detected service: HTTP (potential ROBOT

189.125.69.203:80 2021-03-28 2022-06-18 NEUTRAL Minor
vulnerability)

189.125.69.203:443 2021-03-28 2022-06-18 GOOD Minor Detected service: HTTPS

200.186.44.155:123 2021-03-28 2022-06-18 NEUTRAL Minor Detected service: NTP

Detected service: HTTP (potential ROBOT

200.186.45.202:80 2021-04-05 2022-06-18 NEUTRAL Minor
vulnerability)

189.125.69.217:443 2021-11-11 2022-06-18 GOOD Minor Detected service: HTTPS

200.169.164.22:443 2021-05-11 2022-06-18 GOOD Minor Detected service: HTTPS

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 16 of 36

Bottom 30%

Web Application Headers Grade Distribution: 21 records

This risk vector analyzes security-related 15

fields in the header section of HTTP ​61.9%
61.9%
request and response messages. If
configured correctly, these fields can help

Record count
10
provide protection against malicious
behavior, such as man-in-the-middle and ​33.3%
33.3%
cross-site scripting attacks. Different
types of headers are required for 5
HTTP/1.0, HTTP/1.1, and HTTPS.

See the Knowledge Base for a list of ​4.8%

4.8%
required headers for each protocol. 0
Good Fair Warn Bad Neutral

Remediation Suggestions

Records that affect a company’s Refer to the Help and Remediation configuration requirements.
Diligence grades have messages that messages for additional details. Ensure application headers are created
provides an explanation and remediation. Implement the required headers from correctly and don’t contain misspellings
the list of required headers and refer to the (typos).

Identifier First Seen Last Seen Grade Severity Details

www.acredi.coop.br: Ineffective headers: Set-Cookie

2022-03-01 2022-06-18 BAD Material
443 Missing required headers

www.credifoz.coop.b Ineffective headers: Set-Cookie

2021-05-11 2022-06-18 BAD Material
r:443 Missing required headers

www.credicomin.coo Ineffective headers: Set-Cookie

2022-03-15 2022-06-18 BAD Material
p.br:443 Missing required headers

www.viacredialtoval Ineffective headers: Set-Cookie

2022-03-07 2022-06-18 BAD Material
e.coop.br:443 Missing required headers

Ineffective headers: Set-Cookie

evolua.coop.br:443 2021-09-10 2022-06-17 BAD Material
Missing required headers

www.unilos.coop.br:4 Ineffective headers: Set-Cookie

2022-05-02 2022-06-17 BAD Material
43 Missing required headers

www.crevisc.coop.br: Ineffective headers: Set-Cookie

2022-03-13 2022-06-17 BAD Material
443 Missing required headers

www.credelesc.coo Ineffective headers: Set-Cookie

2022-05-02 2022-06-17 BAD Material
p.br:443 Missing required headers

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 17 of 36

www.transpocred.co Ineffective headers: Set-Cookie

2022-03-09 2022-06-16 BAD Material
op.br:443 Missing required headers

www.civia.coop.br:44 Ineffective headers: Set-Cookie

2022-03-15 2022-06-15 BAD Material
3 Missing required headers

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 18 of 36

Top 40%

Patching Cadence Vulnerability Management Performance

This risk vector evaluates how many 175

systems in an organization's network
infrastructure are affected by software
vulnerabilities and how quickly the

Time to Remediate (Weeks)

150
company resolved any issues.
Vulnerabilities are publicly disclosed
holes or bugs in software that can be
used by attackers to gain unauthorized 125
access to systems and data. Patches are
updates to the affected software that
resolve the vulnerability and close that
100
particular avenue of attack.

75

Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

Remediation Suggestions

Conduct general housekeeping on latest patches. Implement automatic acquire when bringing any new devices
company infrastructure. Keep software, updates for critical systems. onto your network.
hardware, operating systems, and Ensure new systems introduced into Find out how quickly your critical
supporting libraries up-to-date. Doing so your corporate network are free of known vendors are patching vulnerabilities. Your
can make it easier to patch systems in vulnerabilities. Staying informed on the organization’s security posture may be
case vulnerabilities appear in the future. latest threats is a simple way to be aware strong, but even one weak link in your
Ensure your operating systems and of any possible risks your company could supply chain can pose significant risk.
supporting libraries are up-to-date with the

Identifier First Seen Last Seen Grade Severity Details

189.125.69.193:443 2020-10-01 2022-04-30 N/A Moderate CVE-2014-3566 (POODLE)

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 19 of 36

Top 10%

Insecure Systems Grade Distribution: 0 records

Insecure Systems is an indication of the

number of an organization’s endpoints
that are communicating with an
unintended destination. The software of

Record count
these endpoints may be outdated,
tampered with, or misconfigured.
“Endpoints” refer to any desktop
computer, server, mobile device, media
system, or appliance that has internet
access. A system is classified as
“insecure system” when these endpoints
try to communicate with a web domain
Good Fair Warn Bad Neutral
that doesn’t yet exist or isn’t registered to
anyone.

Remediation Suggestions

Identify known insecure systems and

uninstall or update the firmware of
insecure applications (endpoints), as
outlined in the remediation instructions
for the record.

Identifier First Seen Last Seen Grade Severity Details

There are no findings currently affecting this risk vector.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 20 of 36

Top 10%

Server Software

The Server Software risk type can be used

to create a rich picture about the
software used by an organization. It
helps track security holes created by
server software that is no longer
supported by its original developers or
has become out-of-date (deprecated).
No findings available

Remediation Suggestions

Identify out-of-date server software organization’s production applications Consult your operating system vendors’
installations and update them. depend on certain unsupported versions, software repositories and release notes for
Ensure the organization has critical their software development teams will more information on supported server
server software set to auto-update, if need to integrate the newer versions into software for your organization.
applicable, and if some of the their code base.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 21 of 36

Desktop Software Grade Distribution: 5 users

Desktop software are laptops, servers, 4

and other non-tablet, non-phone
computers in a company's network which ​60.0%
60.0%
access the internet. Outgoing 3

Record count
communications from desktop software
include metadata about the device's ​40.0%
40.0%
2
operating system and browser version;
we compare the devices' version of OS
and browser with currently released 1
versions and software updates available
for those systems, and determine
0
whether those systems are supported or
Good Fair Warn Bad Neutral
out of date.

Remediation Suggestions Software Currency by Number of Users

Search for Diligence records and then
identify and update unsupported mobile 100%

software. Supported
Set up auto-update methods for
critical desktop software. ​60.0%
60.0%
Insufficient information prevents
BitSight from identifying unsupported Unsupported
​100.0%
100.0% 50%
software. The use of software device
management systems is recommended,
along with integrating human processes
​40.0%
40.0% Unknown
that ensures systems in the organization
are patched and the software is up-to-
​0.0%
0.0% ​0.0%
0.0% 0%
date. Operating Systems Browsers

Top Desktop Operating Systems Top Desktop Browsers

Chrome 100.0.4896 ​40.0%

40.0%

Windows 10 ​60.0%
60.0%

Chrome 101.0.0 ​20.0%

20.0%

Chrome 101.0.4951 ​20.0%

20.0%
Windows 8.1 / 2012
​40.0%
40.0%
​R2
Chrome 102.0.5005 ​20.0%
20.0%

0 20 40 60 80 0 10 20 30 40 50
Visible Web Activity Distribution (%) Visible Web Activity Distribution (%)

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 22 of 36

Identifier First Seen Last Seen Grade Severity Details

Windows 10 / Chrom
2022-06-03 2022-06-17 GOOD Minor Supported Operating System and Browser
e 102.0.5005

Windows 8.1 / 2012

Supported Operating System and
R2 / 2012 R2 / Chrom 2022-06-17 2022-06-17 FAIR Minor
Unsupported Browser
e 101.0.0

Windows 10 / Chrom Supported Operating System and

2022-06-10 2022-06-10 FAIR Minor
e 101.0.4951 Unsupported Browser

Windows 8.1 / 2012

R2 / 2012 R2 / Chrom 2022-05-13 2022-05-13 GOOD Minor Supported Operating System and Browser
e 100.0.4896

Windows 10 / Chrom
2022-04-15 2022-04-22 GOOD Minor Supported Operating System and Browser
e 100.0.4896

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 23 of 36

Mobile Software Grade Distribution: 3 users

Mobile Software measures mobile 4

devices, such as smartphones and
tablets, that are accessing the Internet ​100.0%
100.0%
from an organization’s network. Outgoing 3

Record count
communications from mobile devices
include metadata about the device's
2
operating system, browser version, and
applications. The version information is
compared with the latest and currently 1
available versions in order to determine if
the mobile device is running supported or
0
out-of-date software.
Good Fair Warn Bad Neutral

Remediation Suggestions

Search for Diligence records and then Software Currency by Number of Users
identify and update unsupported mobile
software. 100%

Set up auto-update methods for Supported

critical mobile software.
Insufficient information prevents
BitSight from identifying unsupported
software. The use of mobile device Unsupported
​100.0%
100.0% ​100.0%
100.0% 50%
management (MDM) systems is
recommended, along with integrating
human processes that ensures systems
in the organization are patched and the Unknown
software is up-to-date.
​0.0%
0.0% ​0.0%
0.0% 0%
Operating Systems Browsers

Top Mobile Operating Systems Top Mobile Browsers

Chrome Mobile
​33.3%
33.3%
​100.0.4896
Android 11 ​66.7%
66.7%

Chrome Mobile
​33.3%
33.3%
​101.0.4951

Android 9 ​33.3%
33.3%
Chrome Mobile
​33.3%
33.3%
​102.0.5005

0 20 40 60 80 0 10 20 30 40
Visible Web Activity Distribution (%) Visible Web Activity Distribution (%)

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 24 of 36

Identifier First Seen Last Seen Grade Severity Details

Android 9 / Chrome
2022-06-03 2022-06-03 GOOD Minor Supported Operating System and Browser
Mobile 102.0.5005

Android 11 / Chrome
2022-05-20 2022-05-20 GOOD Minor Supported Operating System and Browser
Mobile 101.0.4951

Android 11 / Chrome
2022-05-06 2022-05-06 GOOD Minor Supported Operating System and Browser
Mobile 100.0.4896

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 25 of 36

Top 50%

DNSSEC* Grade Distribution: 56 records

DNSSEC is a protocol that uses public 75

key encryption to authenticate DNS
servers. BitSight verifies whether a ​100.0%
100.0%
company is using DNSSEC and if it is

Record count
50
configured effectively.

Remediation Suggestions

Set up DNSSEC for your domain, 25

including generating the appropriate keys
and updating DNS zone records.
Generate a new Zone Signing Key
0
using the RSA or DSA algorithm, with a Good Fair Warn Bad Neutral
key of 2048 bits or more.
Download updated trust anchors and
set them to be managed automatically.
Add your DNSKEY to your DNS
records through your registrar’s
management interface.

* Risk Vector does not currently affect Security

Ratings

Identifier First Seen Last Seen Grade Severity Details

ailoscartoes.com.br 2021-05-12 2022-06-18 NEUTRAL Minor DNSSEC is not configured on this domain

cecred.com.br 2021-05-12 2022-06-18 NEUTRAL Minor DNSSEC is not configured on this domain

credcrea.com.br 2021-05-12 2022-06-18 NEUTRAL Minor DNSSEC is not configured on this domain

credelesc.com.br 2021-05-12 2022-06-18 NEUTRAL Minor DNSSEC is not configured on this domain

credicomin.com.br 2021-05-12 2022-06-18 NEUTRAL Minor DNSSEC is not configured on this domain

acredi.coop.br 2021-05-12 2022-06-18 NEUTRAL Minor DNSSEC is not configured on this domain

civia.coop.br 2021-05-12 2022-06-18 NEUTRAL Minor DNSSEC is not configured on this domain

evolua.coop.br 2021-05-12 2022-06-18 NEUTRAL Minor DNSSEC is not configured on this domain

rodocredito.coop.br 2021-05-12 2022-06-18 NEUTRAL Minor DNSSEC is not configured on this domain

seminarioailos.coop.
2021-05-12 2022-06-18 NEUTRAL Minor DNSSEC is not configured on this domain
br

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 26 of 36

Mobile Application Security* Total Mobile Applications: 0

This risk vector analyzes the security

aspect of publicly available applications
in official mobile marketplaces such as
Apple App Store and Google Play.

* Risk Vector does not currently affect Security

Ratings

App Grade

Remediation Suggestions

Identify mobile applications that are Understand which, if any, applications adhered to a policy of keeping end-user
not adhering to application security best at an insured present a risk for known operating systems up-to-date.
practices. vulnerabilities and other threats. If your company is developing and
Verify questionnaire data from vendors. Verify quality and other contractual supporting apps for third party customers,
For example, to verify claims that their agreements with clients or vendors; for please ensure your support emails and
organization is free of a particular example, verify that a client created secure support URLs reflect the appropriate
operating system. software from a security standpoint and ownership information.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 27 of 36

Domain Squatting**

Domain squatting reports on the presence of registered domains named similarly to those owned by an organization. Attackers set
up malicious software served by similar domain names to take advantage of organization visitors' mistyped URLs, and can trick users
to opening malicious email attachment if recipients do not carefully check messages' domain names of origin.

Remediation Suggestions

Assess potential weaknesses in Implement a policy for domain Be wary of suspicious domains that
domain coverage. Work to register any squatting threats, including process for are similar to official domains for a
potentially at-risk domains and to issuing takedown requests, taking legal vendor, but not registered to their
trademark your brand assets. Increase action based on trademark infringement, company.
domain squatting coverage by and implementing firewalls/blocking Understand if end users at an insured
requesting the addition of a secondary mechanisms to protect against squatted company are at risk for data loss, email
domain that legitimately belongs in your domains. phishing attacks, and other threats.
domain map. Verify completed questionnaires from
critical vendors.

** Informational risk vector (will never affect Security Ratings)

Overview

15k
23159 RESULTS 12
​12 828

TYPOGRAPHICAL ERRORS
10k
57.5% 13327 results

​6 152
SPEAR PHISHING
5k
27.3% 6326 results ​3 484

BIT-FLIP ​
0 ​
0 ​297
297 ​174
174 ​22
22 ​202
202
0
15.1% 3506 results Unregistered Another Company Third Party

Typographical Errors Spear Phishing Bit-flip

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 28 of 36

Results Matrix for All Domains

Unregistered Third Party Another Company

Spear Phishing 6152 174 0

Addition 1456 0 0

Homoglyph 4079 3 0

Hyphenation 617 3 0

TLD Variant 0 168 0

Bit-flip 3484 22 0

Bitsquatting 3484 22 0

Typographical Errors 12828 202 297

Insertion 6476 6 1

Omission 662 17 76

Repetition 419 0 0

Replacement 3382 12 0

Subdomain 316 109 195

Transposition 671 1 25

Vowel-swap 647 32 0

Various 255 25 0

Total 22464 398 297

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 29 of 36

User Behavior
User Behavior looks at user file sharing
activity that may introduce malicious
software into a company, for example,
by downloading a compromised file.

User behavior records older than 60

days will not affect a company's grade.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 30 of 36

Top 10%

File Sharing File Sharing over 60 days: 0 events

0 unique IPs observed
File sharing is the exchange of media
and software, passed through a
centralized server (File Transfer Protocol,
email, instant messaging), distributed

Record count
cloud storage services, or direct peer-to-
peer channels such as BitTorrent,
Gnutella.

BitSight only tracks file sharing over the

BitTorrent protocol, when seen on
company infrastructure, and records the
sharing of such files as books, music,
…

ic
ks

es

Tv

r
he
ie
at

us
o

ov

Ot
ic

movies, TV shows, and applications. Bo

Ga

M
pl

M
Ap

Remediation Suggestions

File Sharing events coming from your

company’s infrastructure can be found in
the My Company ➔ User Behavior tab.
The User Behavior Forensics add-on
package provides specific details about
File Sharing events.
Use a firewall with Deep Packet
Inspection to block torrent activity, as
BitTorrent is difficult to block using
standard port range rules.

IP Address First Seen Last Seen Duration Severity File Sharing Category

There are no findings currently affecting this risk vector.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 31 of 36

Exposed Credentials**

The Exposed Credentials risk vector indicates if employees of a company had their information disclosed as a result of a publicly
disclosed data breach. Exposed Credentials is an informational risk vector and does not affect a company's Security Rating. Many
websites do not validate email addresses, which makes it difficult to assert that certain exposed records are associated with a
company's employees. Likewise, BitSight does not test that exposed credentials are valid, for example by trying a username and
password exposed from a breached site, in order to preserve business confidence and trust.

Remediation Suggestions
Use Exposed Credentials as an password complexity, to address the Consider using 2-factor
opportunity to create or re-evaluate potential risks associated with Exposed authentication as part of your
policies on information reuse, especially Credentials. organization’s user account security
requirements concerning password reuse, strategy.

** Informational risk vector (will never affect Security Ratings)

Observed Events
Observation Date Exposure Date Breached Site Domains Records

10/03/2021 04/08/2021 LinkedIn Scraped Data ailos.coop.br and 5 more 207

01/20/2021 09/28/2020 Nitro cecred.coop.br and 1 more 26

08/02/2020 06/22/2020 Vakinha cecred.coop.br and 2 more 25

07/28/2020 03/14/2019 Hurb cecred.coop.br and 1 more 41

08/10/2019 05/24/2019 Canva ailos.coop.br and 3 more 48

03/12/2019 02/25/2019 Verifications.io cecred.coop.br 8

01/22/2019 01/07/2019 Collection #1 cecred.coop.br 5

10/12/2018 07/23/2018 Apollo acredi.coop.br and 4 more 436

06/15/2018 06/12/2018 Trik Spam Botnet cecred.coop.br 5

05/10/2017 10/13/2016 Exploit.In cecred.coop.br and 1 more 17

05/06/2017 12/16/2016 Anti Public Combo List cecred.coop.br and 1 more 16

02/09/2017 10/03/2013 Adobe cecred.coop.br and 1 more 8

02/09/2017 06/01/2012 LinkedIn cecred.coop.br and 4 more 27

02/09/2017 01/01/2012 Dropbox cecred.coop.br 3

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 32 of 36

Public Disclosures
Public Disclosure events provide
information on breaches, general
security incidents, and other disclosures
related to possible incidents of
undesirable access to a company's
data.

Only certain events in this category

affect a company's rating and only if
they occur, as opposed to having a
percentage of the rating dedicated to
them.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 33 of 36

Top 10%

Security Incidents

Breaches are publicly disclosed events of unauthorized access, often involving data loss or theft. These events are graded based on
several factors, including the number of lost or exposed data records.

Note: Breaches have a negative impact on Security Ratings only if they occur and have a 120-day half-life. For instance, the remaining
impact of a breach will be fewer than 20 points after 18 months for severe breaches and under 10 points for moderate breaches.

Public Discovery Effective Date Severity Category

There are no events currently affecting this risk vector

General Security Incidents

General Security Incidents are a diverse range of events related to the undesirable access of a company’s data and are considered
more severe than Other Disclosures. Some categories of General Security Incidents are Ratings-impacting, while others are
informational only and do not impact the rating. These events are graded based on several factors, including the number of lost or
exposed data records.

Note: Ratings-impacting General Security Incidents have a negative impact on Security Ratings only if they occur and have a 120-day
half-life. For instance, the remaining impact of a General Security Incident will be fewer than 20 points after 18 months for the most
severe incidents and under 10 points for moderate ones.

Public Discovery Effective Date Severity Category Origin

There are no events currently affecting this risk vector

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 34 of 36

Other Disclosures*

Other Disclosures are considered the least severe group of events within Public Disclosures. This category is used for incidents we
learn about via public information, and through other means, that are judged to be minimal in their reflection on security posture. All
categories of Other Disclosures are informational only and do not impact the rating.

* Risk Vector does not currently affect Security Ratings

Public Discovery Effective Date Severity Category Origin

There are no events currently affecting this risk vector

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 35 of 36

FAQ
What is a BitSight Company Overview cyber insurance premiums. It’s used by the How can I discuss information in this
Report? world’s largest investment banks, retailers, report?
private equity companies, and insurers to
This report was created for Cooperativa This report summarizes the security
evaluate the security risk of their own
Central de Crédito Ailos Group, by BitSight performance of the company, depicted
organization and their third parties with
Technologies. It is a snapshot of the across the risk categories and the risk
objective, evidence-based security ratings.
company’s BitSight Security Rating vectors within them.
performance during the past year, as of 18 Based in Boston, MA, BitSight is backed by The Compromised Systems risk
June 2022. It includes: the Globespan Capital Partners, Menlo category indicates the presence of
A historical overview of the company’s Ventures, Comcast Ventures, malware or unwanted software, which is
BitSight Security Rating and their overall Commonwealth Capital Ventures, evidence of insufficient security controls.
security performance. Flybridge Capital Partners, and the The Diligence risk category assesses the
A summary analysis of the company’s National Science Foundation. steps a company has taken to prevent
observed events by risk vector. attacks, their best practice
For more information about BitSight, visit implementation, and risk mitigation
Learn more about this report here: www.bitsight.com or follow @BitSight on (e.g., server configurations) to determine
https://bitsighttech.com/understand-your-rating
Twitter. if the security practices of an
organization are on par with best
Why am I receiving this report? Please email BitSight Support at practices.
[email protected] regarding
The User Behavior risk category
A BitSight Company Overview Report is additional questions or for more assesses employee activity, such as file
typically shared by BitSight customers with information about this report. sharing and password re-use. These
companies in their networks (their third types of activities can introduce
parties). The report is typically sent for malware to an organization or result in
What is a BitSight Security Rating?
various reasons, such as informing their a data breach.
third parties of risks affecting their internet A BitSight Security Rating describes a The Public Disclosures risk category
security posture that may need company’s cybersecurity posture, serves as provides information related to possible
remediation, as a part of the evaluation a measure of their risk, and transforms incidents of undesirable access to a
process for cyber insurance applicants, or how companies manage security risk by company’s data, including breaches,
to meet regulatory requirements. using a data-driven, outside-in approach to general security incidents, and other
rate a company’s security effectiveness. disclosures.
If this report is sent by another party,
BitSight encourages discussing this report A company’s rating is presented as a
with that party. Access to the BitSight number between 250 and 900. It’s an
platform can also be granted to the third aggregation of the letter grades of all risk
parties of BitSight customers, where they vectors (with different weights), that are
may view additional details. then normalized for that company. It’s
based on a 10-point rating system, and
then rounded down in 10 point increments.
Who is BitSight?
Therefore, if the current rating is 740, this is
BitSight is a company that provides daily a representation of the combined
security ratings through an automated assessments of all risk vectors. The rating
service via the BitSight Security Ratings may be somewhere between 740 and 749
Platform. in actuality.

The BitSight platform continuously Learn more about the BitSight Security
analyzes terabytes of external data on the Rating here:
security behaviors of a company in order https://www.bitsight.com/security-ratings
to help organizations manage third party
risk, first party risk, benchmark
performance, and assess and negotiate

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20

 Company Overview 36 of 36

Disclaimer
This report and all data contained
herein are the proprietary information of
BitSight Technologies, Inc. and are
governed by and may be used only in
accordance with the terms and
conditions of the applicable underlying
agreement. For the avoidance of doubt,
this report and all data contained herein
are provided on an “as is” basis and for
internal us only, and BitSight
Technologies, Inc. hereby disclaims any
and all express or implied warranties
whatsoever, including, but not limited to,
any warranties of merchantability or
fitness for a particular purpose. Except
as otherwise permitted in the applicable
underlying agreement, this report may
not be reproduced in whole or in part by
any means of reproduction.

©BitSight Technologies, Inc. 2022. All rights reserved. 2022-06-20