October '21 Corvus Policyholder Update

A new Corvus Scan experience, successful incident response, and what we can learn from the FB outage.

It’s October, so naturally, here are some scary things to consider around the campfire: 

  • A ghost in your basement flickering the lights
  • Vampires (or is it just bats?) circling your neighborhood
  • An employee clicking a link in an email from “support@m1crosoft.c0m” 

Gather some sage, garlic, and cybersecurity expertise for Halloween — catch up on last month’s edition of Bird’s Eye for added protection — and below we’ll cover the latest updates to the Policyholder Dashboard, plus the need-to-know in cybersecurity tips and trends. 

New Dashboard Feature: Interactive Corvus Scan Results

Screen Shot 2021-10-27 at 9.38.13 AM

Screen Shot 2021-10-27 at 9.39.03 AM

You might notice something new on your Policyholder Dashboard, under the Corvus Scan Results tab. Whereas in the past, you’ve received your scan results through a PDF, we’ve made it more interactive —with information tailored to you — to help you combat risk at your organization. Now, through the Security Profile, you can see the most relevant information with actionable advice based on your vulnerabilities, if any. 

Want to improve your organization's Corvus Score?  We’ve compiled our best advice on how to improve your score, protect your systems, and make renewing your policy as simple as possible.


LaurenWinchester-1Risk + Response Tips 

Security tips and service updates from VP of Risk + Response Lauren Winchester

 

We’ve covered how to work with your cyber carrier (us!) during an incident, but what about before a cyber attack? What does an organization need to do to be adequately prepared to combat threat actors, and what does a successful incident response process look like, from start to finish?

We follow the story of Raven Corp, a real-life Corvus policyholder (renamed for privacy) who did everything right — from parallel work streams to a robust backup strategy, a solid Incident Response Plan and an up-to-date asset inventory. How many of their best practices have you implemented? 

Find out in our guide to Incident Response Done Right!


JasonRebholz

CISO Corner

Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz

 

On October 4th, Facebook, Instagram, and WhatsApp went dark. Casual browsers, social media managers, and even Facebook engineers, couldn’t access the network that had seemingly disappeared into thin air. In this instance, a faulty configuration change led to the six hour outage (ultimately impacting 3.5 billion people). The takeaway from all of this? A tech company, even the biggest, is not too big to fail. Organizations should be thinking a lot more about the systemic cyber risk — especially in our interconnected world — that third party vendors introduce to your systems and business processes. 

So, how do you assess your Systemic Cyber Risk?

  • Document the technology that your organization uses to operate. This includes key vendors, SaaS applications and components of core systems. Determine what third party software or services that your systems rely on to run properly.
  • Determine the criticality/reliance of service for each vendor or product. How fundamental is each component to your operations?
  • Graph out your systems to provide a better understanding of the interconnectedness.
  • Build a contingency plan for when components fail. 

For more details on ranking criticality, what your graph may look like, and how to begin forming a contingency plan, you can read our full blog post here.


Monthly Alerts

 

Threat Report

What to watch for this month. 

 

Our Corvus Scan is a powerful asset that enables us to identify which policyholders are at risk for new vulnerabilities. You’ve probably already heard from us about the following if your organization is at risk, but we’ve gathered the monthly round-up of alerts and updates below:

Apache HTTP Web Server Vulnerability (October ‘21)

On October 4, 2021, Apache Software Foundation released an updated version of their web server to fix two vulnerabilities  present on Apache version 2.4.49. Attackers are leveraging the zero-day vulnerability, CVE-2021-41773, to view files outside of the website root directory and execute arbitrary code on the servers.

  • Unauthorized users can modify file permissions to allow for the ability to remotely execute files on the server, or view files outside of the webroot (which could contain sensitive information permitting further attacks against the web server). 
  • Identify if your organization is using Apache HTTP Web Server, and immediately patch the device to the latest version 2.4.50.
  • Review Apache web server logs to look for evidence of successful directory traversal attacks (indications of "../../../" in the log files) or suspicious behavior. If you do notice any suspicious activity, immediately notify Corvus of a potential claim through the email or hotline listed on your policy.

NOBELIUM Attacks on Cloud Services

On October 25, 2021, the Microsoft Threat Intelligence Center (MSTIC) announced it has detected nation-state activity associated with the threat actor NOBELIUM, attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations.

  • NOBELIUM is the same actor behind the SolarWinds compromise in 2020.
  • NOBELIUM is exploiting existing technical trust relationships between the provider organizations and the governments, think tanks, and other companies they serve.
  • These attacks highlight the need for administrators to adopt strict account security practices and take additional measures to secure their environments. The MSTIC blog post (linked above) outlines steps that downstream customers of CSPs and MSPs should be taking to review and secure their administrator accounts.

Multiple Vulnerabilities in Apple Products

On October 27, 2021, CISA issued an advisory regarding vulnerabilities found in multiple Apple products. These vulnerabilities could allow for arbitrary code execution. 

  • Attackers can leverage some of the vulnerabilities to gain privileged access or bypass security restrictions on applications for purposes to read, write or delete data.
  • These vulnerabilities are not being exploited in the wild (yet). 
  • Administrators and users are advised to apply the appropriate security patches for these products immediately.