July '21 Corvus Policyholder Update

Policyholder Dashboard redesign, plus securing vendors and understanding the Kaseya breach.

New Corvus Feature: Policyholder Dashboard Redesign

If you’ve logged onto the Policyholder Dashboard recently, you may have noticed things look a bit different. First, we’d like to congratulate you on your keen eye! Second, we’ll highlight that good things do come with change.

Our redesign gives you quicker access to all of the important resources we have to offer, right from your dashboard. Our goal is to keep things as consistent as possible. So whether you’re scrolling through our website, looking at various materials (from our Risk + Response resources to longer form content), or logging on to access our vCISO — it’ll look familiar.


LaurenWinchester-1Risk + Response Tips 

Security tips and service updates from VP of Smart Breach Response Lauren Winchester

 

This month, we’re highlighting the importance of securing vendors who have access to your environment and data. We continue to see high-profile breaches involving entire supply chains, impacting companies of all sizes. Unfortunately, in situations where your vendors are dealing with threat actors, the consequences don’t just stop there — they may end up at your doorstep. That’s why prioritizing vendor security is fundamental for mitigating risk at your organization, so we’ve gathered some best practices below:

  • Keep an inventory of your most critical suppliers or vendors, and detail what information each can access. Access the impact to your environment that various threat scenarios (unauthorized access, ransomware, etc.) would have based on the level of access each vendor has. 
  • Look over your vendor contracts. Do they include security-related provisions, and do you have a plan for what happens if your vendor experiences a breach?
  • Check for proof of your vendor’s security standards and compliance. Some include:  ISO 27001 certification, SOC 2 compliance, PCI DSS (if payment card data is involved), NIST CSF, CIS Controls, CSA STAR and C5 for cloud security, DFARS (for DoD contractors and subcontractors), HIPAA HITECH (for healthcare covered entities and business associates).

Still working on it? You can read more on securing vendors here.


JasonRebholz

CISO Corner

Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz

 

Earlier this month, the REvil ransomware group targeted the on-premise Kaseya VSA solution, impacting Managed Service Providers (MSPs) and creating downstream outages for customers of the impacted MSPs. What we’ve seen unfold here is an example of a “one to many” attack (which is quite similar to a supply chain attack) where a threat actor gains access to a single point that provides access to more companies.  This is why MSPs and tech companies are a frequent target in ransomware attacks, as the threat actor can inflict greater harm — and gather more of the victim’s data — to gain more leverage to collect a larger ransom. For more details on the Kaseya (and PrintNightmare) vulnerabilities, you can read our blog post here

As we see more and more threat actors infiltrate organizations with more downstream customers (for a greater reward), we want to highlight ways to protect your organization against third-party risk:

  • Incident response plans ensure that everyone at your company knows how to respond in the event of a breach, and are especially important for those with third-party vendors involved.
  • Just like applying sunscreen to protect you from the sun, applying controls and monitoring your vendors through a robust vendor management program is critical for protecting your environment in the long-run. Know how your vendors access your environment and what dependencies you have on them to conduct your business. Ensure that your vendors are security-focused as well, and you have contract provisions in place to determine how they plan to keep you in the loop. For more on vendor management, you can read our blog post here


Monthly Alerts

Threat Report

What to watch for this month. 

 

Our Corvus Scan is a powerful asset that enables us to identify which policyholders are at risk for new vulnerabilities. You’ve probably already heard from us about the following if your organization is at risk, but we’ve gathered the monthly round-up of alerts and updates below:

CISA recently published Top Routinely Exploited Vulnerabilities.  Please be sure to have your IT or IS lead take a look, and if any are applicable, remediate immediately!

Kaseya VSA (July ‘21 alert)

  • Applies to users of Kaseya’s VSA software, designed to enable organizations to remotely manage and monitor endpoints, as well as their network. 
  • Remediation of the on-premise Kaseya VSA server is only necessary if you manage a VSA server in your environment, so it’s more relevant to managed service providers than their customers.
  • This readiness guide helps prepare your server for the VSA release patch.

PrintNightmare (July ‘21 vulnerabilities)

  • Impacts all users of Windows Operating Systems (the vulnerability impacts the Windows Print Spooler service, which manages printing as both the client and server).
  • While the vulnerability is critical and pervasive, it is unlikely to be an initial attack vector as it is typically not externally facing. That said, an attacker gaining access to your environment by some other means will definitely leverage this exploit if it’s available.
  • We recommend patching systems immediately and following Windows additional guidance on securing the Print Spooler service.  

SonicWall SRA & Remote Access Devices (July ‘21 vulnerabilities)

  • Applies to organizations using SonicWall SRA and SMA products.
  • The affected products include: SRA 4600/1600, SRA 4200/1200, SSL-VPN 200/2000/400, SMA 400/200 and we recommend updating SMA 210/410/500v.
  • SonicWall has more guidance on next steps to take depending on which product/firmware you’re using.
  • All SonicWall users, even those who update regularly, should consider a password reset for their SonicWall credentials if they have not done one recently.  Your organization’s credentials could have been taken by a threat actor back when these vulnerabilities initial surfaced, and if you updated with also doing a password reset, there is still some risk the credentials could be used.