July '24 Policyholder Newsletter

Third-party Risk Management tops our podium this month

There’s nothing like getting absorbed into the thick of the competition in a sport you haven’t thought about once in the last few years. Whitewater canoe slalom? Sabre fencing? Skiff sailing?

Hopefully you’re somewhat more familiar with the key players in the fight for the best cybersecurity controls. It’s a competitive field, with MFA, Vulnerability Management, and ZTNA — but for our money, this is the summer of Third-Party Risk Management.

Read on to learn more about this medal-worthy security program, and a great example (in the form of the CrowdStrike outage) of why it’s so important.

 

[BANNER] Risk Advisory Tips

The Corvus claims team is seeing increased attacks against third-party vendors that can impact thousands of companies at a time.  In early 2023, around 15% of Corvus claims resulted from vendor events; by early 2024 this number had grown to around 29%.

You don’t need claims data (but it helps!) to see this trend. Recent incidents at Change Healthcare and CDK illustrate the significant impact third-party technologies and service providers can have on organizations when they face disruptions or failures.

So what can you do about it? It starts with understanding your risk through your Third-Party Risk Management (TPRM) program.

Five Steps to Third-Party Risk Management (TPRM) Programs:

  1. Develop a policy

    • Define how third-parties are identified, assessed, monitored, and managed.

  2. Always do your due diligence

    • Evaluate potential vendors’ security controls, compliance with applicable regulations, financial stability, and operational resilience.

  3. Implement strong contractual controls

    • Negotiate contracts that define security and compliance standards expected of vendors.

  4. Plan for Incident Response

    • Work with your vendors to ensure that there are clear and tested plans in place for notifying and responding to security incidents.

  5. Educate and train your people

    • Make sure that your teams know of the risks associated with third-party engagements and are trained on your TPRM policies. 

Interested in more information on how to build out or improve your TPRM program? Check out our blog post here.

If you have questions and are a Policyholder, our Risk Advisory team is always here to help make sense of this world. You can schedule a call with a Cyber Specialist.

Schedule a call

 

[BANNER] Threat Intel Corner

On July 19, 2024, the world woke up to a massive IT outage that affected numerous industries across the globe. The culprit? A faulty software update from cybersecurity firm CrowdStrike. CrowdStrike, a leading provider of cloud-native cybersecurity solutions, inadvertently pushed out a defective update to its Falcon platform, causing Windows machines running the affected software to crash. This resulted in widespread disruptions across a number of sectors including airlines, finance, healthcare, and media.

The outage had far-reaching consequences:

  • Travel Industry: Major airlines, including United, American, Delta, and Ryanair, experienced significant delays and cancellations.
  • Healthcare: Hospitals in several countries had to switch to manual processes.
  • Banking: Financial institutions worldwide reported service disruptions.
  • Media: Some broadcasters, including Sky News in the UK, were forced off the air.

Even though this wasn’t a cyber attack, cybercriminals are opportunistic. They aren’t going to let this news slide by without trying to take advantage of it. Reports have emerged that cybercriminals are pitching "updates" to fix the CrowdStrike issue. But that update is just malware in disguise. So be on the lookout for phishing attempts or scams purporting to be CrowdStrike. The Corvus Threat Intel team has already observed attackers stockpiling domains that mimic CrowdStrike to support their social engineering efforts!

 

[BANNER] Threat Alerts

The Corvus Scan is a powerful asset that helps us identify which policyholders may be at greater risk for vulnerabilities. In response, we send tailored, time-sensitive notifications with direct guidance for remediation.

We’ve gathered a monthly round-up of our alerts and threat intel updates below:

VMWare ESXi Vulnerability

Microsoft researchers have uncovered a critical vulnerability in VMware ESXi hypervisors that allows attackers to gain full administrative access to domain-joined ESXi systems. The vulnerability, identified as CVE-2024-37085, involves a domain group named "ESX Admins," whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Ransomware groups are actively exploiting this vulnerability therefore it is critical that security updates be installed immediately.

Cisco SSM Vulnerability

A critical vulnerability (CVE-2024-20419) has been discovered in Cisco Smart Software Manager On-Prem (SSM On-Prem), a license management tool used by service providers and Cisco partners. This flaw has been assigned the maximum severity score of 10 out of 10. Cisco has released security updates to address this vulnerability. While there is currently no reported active exploitation or Proof of Concept (PoC) code, it is crucial that impacted organizations upgrade to a fixed release immediately to secure vulnerable servers in their environment.

Acronis Cyber Infrastructure Vulnerability

A critical security flaw (CVE-2023-45249) has been discovered in Acronis Cyber Infrastructure, a popular multi-tenant endpoint management, virtualization, and backup platform. This vulnerability allows attackers to exploit default credentials to gain unauthorized access and potentially execute remote code without authentication. The issue affects various versions of the software, including builds prior to 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132. To mitigate the risk, Acronis strongly recommends immediate patching of affected systems with the latest security updates.

DigiCert Certificate Revocations

DigiCert began a planned revocation of certificates on July 30, 2024. Both DigiCert and CISA are providing updates on the situation and have been working alongside affected and critical infrastructure customers. “All impacted certificate serial numbers will continue to be listed in [the] DigiCert portal and will be removed once revoked.” If the process is not completed before the certificate is revoked, it will lead to a loss of connectivity for the website or application. “All certificates impacted by this incident, regardless of circumstances, will be revoked no later than Saturday, August 3rd 2024, 19:30 UTC."