Incident response best practices, Colonial Pipeline, & more
Featured Article: How to Respond to a Cyber Incident
An incident is never a good thing, but knowing the best practices for response can significantly mitigate impacts to your organization.
Imagine the first moments of a ransomware attack. Many employees are locked out of their devices, so you don’t have an easy way to reach them. You’re not even sure if you should use your own email account. How will you react? When will you notify Corvus? What are the next steps? Do you need pre-approval to work with vendors? (Answer to that last one is yes!)
We’ve laid out the various stages of responding to an incident, from the moment of discovery to working with vendors to investigate what happened. You can read through our step-by-step process for responding to an incident here. The key takeaway: don’t go it alone! Corvus is here to help line up vendors and get you on the right response path. See our monthly tip below for more.
Risk & Response Tips
Security tips and service updates from VP of Smart Breach Response Lauren Winchester
This month’s tip is: Determine how your organization will respond to a cyber incident. While no one ever wants to think about the worst-case scenario, we do recommend being as prepared as possible if the circumstances arise. In regards to cybersecurity, you’ll see a lot of conversations that center around “it’s not if, but when,” a mindset we encourage among our policyholders.
Whatever circumstances arise, our priority is to work with policyholders every step of the way, whether it’s finding you third party vendors that fit your needs or talking you through establishing an incident response plan in the first place. We’ll cover what to expect and some best practices for responding to an incident:
When should I notify Corvus? If there’s an incident, we recommend letting us know as soon as possible. But a good rule of thumb is: if you’re considering the use of outside vendors to help you respond, you should notify us.
What’s the best way to notify? You’ll find claims contact information in your Policyholder Dashboard or on your policy, but you can reach us through email or our hotline. Neither approach is better or quicker, so stick with whichever you’re most comfortable with and feels most secure.
How long does a forensic investigation take? You should expect to have initial forensic findings after an incident within a week or two, but if the threat actors are sophisticated, it may take up to two months to complete the investigation.
See our article for more information on how Corvus will work with you through a cyber incident.
Trends in cybersecurity
The breach at Colonial Pipeline was a stark reminder that good cyber hygiene is crucial to protecting your organization. While the panic of a gas shortage was short-lived, the lasting impression is that utilities and energy companies (plus everyone else!) need to be taking preventive measures to limit their risk against threat actors. You can read our full coverage of the Colonial Pipeline situation here, and we’ll highlight some of the biggest takeaways below:
- Ransomware group DarkSide was responsible for the attack, using “double extortion” to increase leverage: stealing data and threatening to publish it, in addition to encrypting devices and servers.
- Colonial had several cybersecurity red flags, including poor patch management that was evident when Corvus scanned their system and found numerous instances of legacy software.
- Colonial Pipeline paid a $4.4 million dollar ransom.
What to watch for this month. Thanks to the Corvus Scan, we are able to identify and notify policyholders who could be at risk for these vulnerabilities — so you may have already heard from us. We’ve gathered any recent updates below to reiterate and provide potential updates:
- Applies to organizations running internet services on Exim.
- All Exim versions released before 4.94.2 are vulnerable and should be patched immediately.
- It is unknown if cyber threat actors are currently exploiting these vulnerabilities. Qualys is not publishing an exploit code, but exploitation in the wild will likely occur soon.
- Upgrade all Exim software to the latest version 4.94.2 (May 4, 2021 patch available here).