September '21 Corvus Policyholder Update

A vCISO update, implementing EDR, and why a robust backup strategy matters.

We haven’t seen a single orange leaf yet, but that won’t stop us from welcoming fall with open arms. Pumpkins, apple picking, ongoing cybersecurity tips from experts — there’s something for everyone this season. You can read last month’s edition of Bird’s Eye here. Below, we’ll cover the latest update to your Policyholder Dashboard, plus security tips and vulnerability insights.

New Corvus Feature: vCISO Instant Response

[DIAGRAM] New Corvus Feature: vCISO Instant Response

Keep your eyes peeled for our newest update to the vCISO tab on your Policyholder Dashboard, which makes communicating with us a bit more efficient and straightforward. Before, when receiving results from our scan that pinpointed any potential vulnerabilities, you had to email us directly to follow-up. 

Now, with a click of a button, you can quickly let us know if you’ve taken the steps to close the vulnerability. If you feel that the scan’s results are not valid or you’re not sure what your next steps are, you can click the appropriate selection, leave a note, and we’ll be in touch. 

[EMPLOYEE HEADSHOT] Lauren Winchester - Vice President of Risk + Response, Corvus InsuranceRisk + Response Tips 

Security tips and service updates from VP of Risk + Response Lauren Winchester


This month we’re highlighting why Endpoint Detection Response (EDR) comes out on top for protecting your systems. What sets it apart from standard Antivirus (AV) software or Next-Gen AV, and how you can go about implementing it at your organization? 

  • Looking at standard AV or even Next-Gen AV, it’s important to pinpoint their capabilities as well as their limitations. AV can protect an organization from low-hanging (malware) fruit, and Next-Gen AV introduces more enhanced capabilities to detect suspicious behavior, but with a focus on the system it’s installed on and not the overall enterprise.
  • EDR, however, can do all of the above and then some. It utilizes “Flight Recorder” technology that tracks activity on the system before and after an alert to clearly identify what malicious activity occurred on the system. 
  • When shopping for an EDR tool, avoid the pitfalls of tricky marketing and make sure it can do the following from our checklist:
    • Monitors and collects user and system activity data from endpoints
    • Analyzes data across the enterprise environment
    • Automatically responds to identified threats to remove or contain them
    • Has analysis tools to research identified threats and search for suspicious activities 

For more on utilizing EDR at your organization, you can read our full article here.

[EMPLOYEE HEADSHOT] Jason Rebholz - Chief Information Security Officer, Corvus Insurance

CISO Corner

Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz


We’ve seen a positive trend recently — more organizations are hyper aware of the threat of ransomware, and have implemented a robust backup strategy to circumvent the need to pay hefty ransoms to restore their data, which can more than double the response costs. This positive trend has been driven by organizations first knowing what their critical systems are and then ensuring that those systems are adequately backed up. A common strategy we’ve seen deployed is the 3-2-1 backup strategy, which has saved many organizations from lengthy recovery times and large ransoms. 

For a quick overview of what that may look like, we’ve got you covered:

  • Three copies of your data. You can go above and beyond here, but the minimum expectation is that your data is available in three separate places. Production data (also consider virtual snapshots for some extra protections), on-site backups (your heavy lifter and first true line of defense), and offsite backups (which can be both tape and cloud backups). 
  • Two different media types. We touched on these already, as cloud, tape and snapshots are all different media types that strengthen and differentiate your backup strategy.
  • One offsite copy. Tape or cloud, have backups available elsewhere if your systems go down.

For more information on the 3-2-1 backup strategy and how to go above and beyond (wait, did someone say 3-2-1-1-0?) you can read our blog post here.

[DIAGRAM] Corvus Threat Report


Threat Report

What to watch for this month. 


Our Corvus Scan is a powerful asset that enables us to identify which policyholders are at risk for new vulnerabilities. You’ve probably already heard from us about the following if your organization is at risk, but we’ve gathered the monthly round-up of alerts and updates below:

Conti Ransomware IOCs

CISA and the FBI released a joint alert related to Conti ransomware. We recommend reviewing the entire alert linked above and checking your systems for indicators of compromise (IOCs). Particularly of note - if you ever observe the presence of Trickbot or IcedID trojans within your systems, time is of the essence to notify us of a potential claim and work with a forensics firm to prevent potential launch of a ransomware attack.

Microsoft MSHTML Vulnerability (September ‘21)

On September 7, 2021, Microsoft Security Response Center (MSRC) reported on a security vulnerability, CVE-2021-40444, in the MSHTML engine. MSHTML, also known as Trident, is the engine used for Internet Explorer and for rendering web based content in Microsoft Office applications.  The zero day exploit allowed a threat actor to send a specifically crafted Microsoft Office document that when opened would download and execute malicious files.

  • Successful exploitation will lead to the ability for a threat actor to execute malicious code on the system.
  • Executed malicious code will lead to post exploitation activity that could include the installation of malware and ransomware attacks.
  • We recommend that all Microsoft Windows customers patch systems to the latest OS version, disable ActiveX controls if not needed for business, and ensure users are trained in security and phishing awareness.

Fortinet FortiGate (September ‘21)

On September 8, 2021, Fortinet issued an advisory to customers regarding a threat actor who had leaked credentials for 500,000 Fortinet VPN users. It is believed that in 2020 the threat actor leveraged an old Fortinet vulnerability, CVE-2018-13379, to obtain credentials from unpatched Fortinet devices.

  • Fortinet encourages all organizations to perform a password reset following any upgrade as a risk mitigation best practice.
  • This is not a new vulnerability. It is related to a resolved vulnerability from May 2019. 
  • We recommend that you fully patch Fortinet appliances, change VPN credentials that have not been updated in the past three months, implement MFA, instruct users to change passwords to other accounts that may have used the same password, and review authentication logs for unusual login activity.

VMware vCenter Server Vulnerability (September ‘21)

On September 21, 2021, VMware issued an advisory that a vulnerability CVE-2021-22005 in their vCenter Servers was being actively exploited. The vulnerability allows a threat actor with access to port 443 to upload and execute files. 

  • A threat actor can upload and execute arbitrary files which could lead to the full compromise of the vCenter Server and virtual machines hosted on the hypervisor.
  • The affected VMware vCenter Server are versions 6.5, 6.7, and 7.0. Organizations with their vCenter Server available to the Internet are most at risk.
  • We recommend all VMware customers immediately patch the vCenter Server to the latest version, or leverage the workaround documented here if patching is not possible.
  • Use the vCenter Server appliance firewall to limit access to the vCenter Server to only those systems that require access to vCenter.