How to improve Your Cyber Risk Score

The most common findings we come across and how you can address them to improve your score

The Cyber Risk Scan Report on your Cyber Risk Dashboard is designed to help you quickly identify the critical issues that will move the needle for your overall security. Improving your overall Corvus Score will help to put you in the strongest position when it comes time to renew your policy.

The best place to start with improving your score is the Action Center, also found in your Cyber Risk Dashboard. This page provides you a tailored and prioritized list of recommendations to improve your organization's security. The most critical issues — those with the highest likelihood to increase your score and your security posture — will be at the top. 

Below, we’ve gathered some best practices for how to improve your score. Following these may help boost your organization’s overall score. Notable findings that we frequently encounter include; Patching Critical Vulnerabilities, Securing Remote Access, Implementing a Lower Risk VPN Solution, and Limiting the Use of Self-Signed Certificates.

• Ensure all software is patched to the latest versions. This comes from a strong patch management program to ensure that software is patched quickly when new versions are released.
• If you need additional information about the CVE’s listed in the report, you can search the CVE in the National Vulnerability Database. 
• For more information on the importance of software patching, please check out our CISO’s blog post: Prioritize Your Patching: A Risk based Vulnerability Management Approach.

• Assess your external footprint to ensure that only the systems and network ports required for business functionality are publicly accessible. Some remote access services that may no longer be in use, in which case, we recommend closing them.
• Organizations should implement Multi-Factor Authentication (MFA) for any remote access methodology. 
• For those organizations that are still using RDP for remote access, Corvus recommends migrating to new remote access technologies such as Zero Trust Network Access (ZTNA). ZTNA minimizes your external footprint and securely ties authentication to your users.
  • If RDP is required for business functionality, organizations should consider implementing an allow list to only grant access to trusted sources. For more information, please check out our article What is RDP, and why is it a security concern?

• Our scan checks for the presence of high-risk VPN solutions. 
• High-risk VPNs are those that contain numerous critical severity vulnerabilities, which are heavily exploited by threat actors to carry out ransomware attacks. Our predictive risk model has observed a higher likelihood of cyber incidents at organizations that leverage these vulnerable and targeted VPN solutions.
• Ensure that a formal patch and vulnerability management process is in place for your current VPN solution to remediate vulnerabilities as new updates become available.

• Our recommendation is to implement a Zero Trust Network Access (ZTNA) solution for secure remote access. This emerging technology minimizes your external footprint by removing digital assets from public visibility and securely ties authentication to your users.
• For more information on best practices to secure remote access, please check out our Knowledge Nest article 'Zero Trust Network Access’. 

• The Scan checks certificates to ensure that there are not large concentrations of self-signed certificates in use at your organization.
• Our risk model has identified a higher likelihood of ransomware attacks at organizations that use a high concentration of self-signed certificates in comparison to organizations that leverage certificates issued by Certificate Authorities (CAs).
• Consider leveraging certificates issued by reputable Certificate Authorities (CAs) and limiting the usage of publicly facing self-signed certificates at your organization
  
  

• The Scan checks security certificates on domains associated with your organization to verify that they are configured according to best practices.
• Specifically, our scan now checks for the following items related to SSL certificates:
  
  • Expired Certificate: Is the certificate valid at time of scan?
  • Certificate Length: Is the certificate valid for too long (longer than 398 days)?
  • Weak Cipher: Does the certificate use a weak encryption algorithm such as MD5 or SHA-1?

• For impacted domains, reissue a new certificate with the following best practices; renew expired certificates with a maximum validity of 398 days and an encryption hash algorithm of at least SHA-256.