How to work with your cyber insurer on incident response, implementing a Risk-based Vulnerability Management Program, and more.
Just like the always reliable pumpkin spice latte — which, yes, is back already — we’ve returned with another edition of Bird’s Eye, our policyholder newsletter. Place your order at your favorite coffee shop (we won’t judge...but we love Dunkin') and catch up on last month’s version here. Below, we’ll cover the latest in cybersecurity trends, how to work with your carrier (us!) on incident response, and more.
Risk + Response Tips
Security tips and service updates from VP of Smart Breach Response Lauren Winchester
We’ve covered the steps of responding to a cyber incident before, from the discovery stage to a potential regulatory investigation. Being prepared for the worst-case scenario is the best way to not only mitigate risk, but improve your chances of a smoother outcome. The less downtime in the event of an incident, the better.
This month we’re delving deeper into how to work with your cyber insurer at each stage of incident response. Whether you’re curious how Corvus will walk you through a claim, or need a more detailed explanation of what a forensic team does after a breach, we’ve covered all your bases.
To settle all your cyber incident questions ahead of time, you can read our full How to Work with your Cyber Insurer on Incident Response here.
Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz
Contrary to popular belief, most attacks aren’t particularly sophisticated. So while none of us have the crystal ball to predict the next zero-day exploit, the best thing you can do is focus on establishing a Risk-based Vulnerability Management Program (RBVM). This helps you prioritize vulnerabilities based on the actual risk they pose to your organization. As opposed to a traditional Vulnerability Management approach, which suggests all critical vulnerabilities be patched immediately, an RBVM considers the scale of each vulnerability, if exploited, and how it would impact your organization. For example, you’d prioritize a vulnerability that could permit authorized access into your internal environment, over one that would have less catastrophic results — even if they’re both technically ranked as critical.
For more on how to establish a RBVM Program, you can read our blog post here.
What to watch for this month.
Our Corvus Scan is a powerful asset that enables us to identify which policyholders are at risk for new vulnerabilities. You’ve probably already heard from us about the following if your organization is at risk, but we’ve gathered the monthly round-up of alerts and updates below:
Microsoft Exchange ProxyShell (August ‘21)
On August 21st, CISA announced an urgent security update, regarding threat actors exploiting three ProxyShell vulnerabilities in Microsoft Exchange. We’ve advised all policyholders running outdated versions of on premises Microsoft Exchange to update to the latest released version.
- Applies to Microsoft Exchange customers running outdated versions of Microsoft Exchange. You should update your Exchange servers to the latest version.
- Threat actors are leveraging ProxyShell vulnerabilities to bypass access control and elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution.
- Ensure you check to see whether your server was already compromised using this security researcher’s article and script.
On August 26th, security researchers from the cyber security company Wiz announced a vulnerability, dubbed ChaosDB, that was associated with the cloud based Microsoft Azure Cosmos Database (Cosmos DB). The vulnerability, while critical, poses no immediate threat to organizations as Microsoft patched the issue and contacted impacted customers. Regardless, Microsoft is advising all to rotate and regenerate keys (instructions available in this article).
This serves as a reminder that even cloud based applications are prone to vulnerabilities and additional care should be taken to monitor and detect unauthorized activity.