The Corvus Scan: How It Works, and What to Expect
Whenever you get a quote for Smart Cyber, Smart Tech E&O, or Smart Cargo + Cyber, the coverage options you see are based in part on an assessment of your IT system. The technology we use to make this assessment is called the Corvus Scan. The Corvus Scan assesses your cybersecurity hygiene by analyzing your public-facing web infrastructure and combining this data with internet-wide vulnerability and threat research.
How to Learn About a Company's Web Security Practices
There are two main approaches to uncovering security vulnerabilities. One is “penetration testing,” which involves a simulated attack. This could only be done with your permission and in close collaboration with your IT organization, since it involves accessing sensitive systems just as a real attacker would.
The second is a non-invasive scan. There’s a vast array of information about a company’s IT infrastructure that is visible to the world at all times — if you know where, and how, to look for it. This is the approach we take with the Corvus Scan.
Summary: How Does the Corvus Scan Work?
We gather any relevant information that can be found without logging into or performing any type of exploit on a client’s systems. The scan looks at obvious aspects, such as the company’s public-facing website, as well as less obvious ones, such as vulnerabilities in bits of software embedded in a company’s web applications, or unused domains owned by the company. Corvus does not require access to servers, and does not require a password. We see the same information a malicious actor would if they are poking around “trying car doors”. The Corvus Scan assesses a company’s cyber security hygiene and insurance risk by analyzing its public web infrastructure, combined with internet-wide vulnerability and threat research.
Then we provide to you in a concise summary in your quote, and a full report once you’ve purchased a policy. Some of the details in this report will be of a low priority, presented as purely informational, while others may be immediately critical to a client’s cyber security. All of the information represents clues as to where the “bad guys” might see vulnerabilities and find a way into those systems. For the most critical vulnerabilities we find, we send an email alert to your broker (your broker can also sign you up to receive these directly).
Detail: Phases of the Scan
Phase 1: Discovery
The initial phase of the Corvus Scan is "Discovery." During the discovery phase, the scan identifies the scope of a company’s web-facing infrastructure. The scan locates all of the company’s domains and email servers, all of the software they use to run these services, and the third parties providing that software. With so many software-as-a-service applications in use at companies large and small, this can amount to a substantial “surface area” - far beyond the traditional web server and email server. The process of discovery itself leads to the identification of some critical risk factors, such as the size of the infrastructure (surface area) and how much third-party risk they are exposed to through their software providers.
Phase 2: Testing
Once the scope of the company’s surface area has been established, the scan will begin a phase of testing the more technical aspects of their cyber security. This includes software patching, web encryption, data loss history, email security, web applications, threat intelligence, hosting, DNS security and more. For example, when testing for “software patching,” we check all of the third-party software a company uses against a government-maintained database of known vulnerabilities, and create a score for software patching based on the number and severity of vulnerabilities identified. Numerous tests are performed, ranging from testing the security configurations of email and website servers to checking activity feeds for indicators of malicious activity.
For instance, the scan may reveal that a client is running an outdated version of a software, or that web encryption is not set up right. There might be websites and web applications still public that a company has forgotten about. And the scan might tell you about vulnerabilities that are well-known within an operating system that need to be patched. The result of each of these tests generates a recommendation for action to take in your Dynamic Loss Prevention™ Report.
Phase 3: Recommendations and Ongoing Monitoring
Discoveries made by the scan are aggregated, with weighting determined by a variety of factors that are specific to the client’s situation. The resulting numerical scores get pulled into the easy-to-digest DLP Report, and ultimately into a single number for the Corvus Score. This provides a single measure of a company’s security vulnerability. But it does not stop there. The vulnerabilities that were identified in the Discovery and Testing phases are also paired with a recommendation. These recommendations are drawn from security best practices and weighted by severity and potential to improve the client’s security. They are written in clear language so that clients can understand the vulnerabilities and take action.
After the initial DLP Report is delivered, Corvus will continue to monitor for new threats. With a Smart Cyber Insurance policy, Corvus runs a new scan quarterly during the policy period, along with real time alerts on critical vulnerabilities, so you can receive up-to-date information throughout the year.
Since the vulnerability scan is not performing an exploit, it cannot validate whether these vulnerabilities could result in a breach or claim event. False positives and false negatives can occur. The scan serves as a guide for the policyholder that should be validated through more extensive testing.