Are my insurance terms affected by these scan findings or my risk score?
During your policy period, scan details do not affect your current insurance policy terms. However if they are not fixed over a period of time they will lead to contingencies at renewal time and could also result in a claim. In order to reduce your cyber risk, Coalition provides information about what vulnerabilities your organization has from an external perspective. These alerts are based on security best practices. These alerts may also differ from the risk assessment findings found at the start of your policy: the threat space is ever-evolving and we want to ensure each policyholder has a snapshot of active risks. Addressing these risks will help prepare you for your insurance renewal.
Are the scans a penetration test?
Coalition Control attack surface monitoring is not a penetration test. On a monthly basis we scan policyholders’ external attack surfaces based on the domains provided during the quotation process, added by the policyholder during the policy, or enumerated by our security platform using public information (see below).
After public records, domains, and IPs are collected, our platform scans those endpoints from the public internet to identify technologies that may be vulnerable, similar to how threat actors might conduct reconnaissance. Our platform also pulls data from a variety of third party sources including databases of known breaches, which Coalition then correlates with these scan findings and enrich the risk assessment.
How does Coalition find our assets?
The most common ways Coalition finds assets and associates them with policyholders are: sub-domain enumeration (finding subdomains associated with domains already associated), DNS records, SSL certificates directly or historically associated with your organization, and IPWhois data showing the organization’s name/address/domain name registered to that asset in ARIN. Each of these can occasionally result in false-positive associations These can be reported in the Control platform as noted above, but can also be reported to the source of the data, and can often be corrected in the public records themselves.
You can also add/update your domains and IPs through Control to ensure we accurately capture your infrastructure.
Why are there so many medium and low level alerts?
Having a high number of medium and low level alerts is an indicator that you may have something that's expanding your attack surface outside of what you may have in documentation. Assets like SPF records that have too many IP's allowed in them, or the use of public/shared/wildcard certificates may be exposing your organization to outside risks that have varying levels of security control in your attack surface. Use the “source” column in the assets section to help identify the asset that might be opening the door to the other exposures.