09.16.20

Lauren Winchester

Who’s Afraid of RDP? How Insurance Helps Squash the #1 Ransomware Risk

Teams of security experts work nonstop to identify and publicize software vulnerabilities and other possible security weaknesses, hoping to beat cybercriminals to the punch.

Yet once found, the issues they discover can persist on systems around the world for months or years. Even at organizations where IT teams are proactive in patching software and protecting systems, things slip through the cracks. This is problematic for everyone: the organizations, their customers and vendors, cyber insurers, and insurance brokers trying to help their clients stay safe.

Remote Desktop Protocol (RDP) Takes the Cake 

Persistence is the rule with RDP. As we’ve discussed before, remote desktop protocol ports, when left unsecured and open to the internet, are a well-known soft spot for attackers. Yet years after exploits began, enough opportunities persist for attackers to have made it the #1 vector for ransomware attacks amid the current ransomware wave -- which began in 2017, exploded in 2019, and continues today. RDP is now the conduit for the majority of ransomware attacks, easily beating out better-known “social engineering” attack vectors like phishing. 

Facing this singular threat, cyber insurers have been forced to implement stricter guidelines around underwriting to deal with the slew of claims resulting from ransomware attacks traced back to RDP vulnerabilities. The way some insurers, like Corvus, uncover this risk can be helpful for prospective policyholders -- even those who don’t end up buying a policy. 

How Does Corvus Keep Up With the Criminals?

Security gaps like RDP ports are found so frequently in part because of the size and complexity of modern IT systems. Just one lonely server with an unsecured port among dozens, hundreds, or thousands is potentially enough to let an attacker into the network -- a needle in a haystack. Being able to scan specifically for major threats is powerful, especially for companies with small or overly taxed IT departments. 

  • In the latest update to the Corvus Scan, we’ve upgraded our dynamic vulnerability alerts, a feature we’ve been rolling out to our brokers and policyholders over the past few months.
  • Brokers working with Corvus are notified any time a vulnerability like RDP is found on one of their clients. They can also sign up their clients or agents they work with to receive the same alerts in real-time. 
  • Our alerts include those for BlueKeep, a specific software vulnerability that enables the exploit of RDP, as well as for the general risk of an open RDP port. We’ve sent hundreds of alerts for these vulnerabilities to date. 
  • We’ll soon be releasing alerts for longstanding vulnerabilities like Server Message Block (SMB) and Telnet, as well as any new and urgent vulnerabilities that rise to prominence among cybercriminals like RDP has.

[BLOG] Prioritize Patching - A Risk-Based Vulnerability Management Approach

How Do Clients Respond? 

Yes - and positively. The majority of alerted organizations took action on the basis of an alert and all of those who responded did so favorably. They closed down ports with RDP that were no longer necessary, moved needed ports behind a VPN, or otherwise secured access. This not only helps those organizations mitigate risk; it also helps make the web safer for everyone by reducing the overall supply of easy credentials for criminals, making their job harder and more expensive. 

Oftentimes an alert is unnecessary because it’s caught upfront. Our automated scan locates threats like unprotected RDP upon quoting for new business and we notify the broker and policyholder. Since implementing RDP alerts and pre-bind checks, we’ve seen a dramatic decrease in ransomware claims for the new policyholders impacted, something we will cover in greater detail in an upcoming report. 

The Value Opportunity for Brokers

Security scanning and alerting tech offer brokers an opportunity to bring value to clients in two ways: helping identify present threats at the point of purchase, and the peace of mind knowing that throughout the policy year, any significant new threats will be brought to their attention. Oh, and, the coverage is great too. 

[RELATED POST] How Inside-out Insights Shape Cyber Risk Assessment

How Inside-out Insights Shape Cyber Risk Assessment

This week, our team at Corvus was pleased to take part in a major announcement by SentinelOne of its WatchTower Vital Signs Report app in the Singularity Marketplace. For cyber underwriters like Corvus, this app provides a real-time “inside-out” view of an enterprise’s cybersecurity health for improved policy accessibility and reduced underwriting risk. This represents an exciting and needed development in our industry, as insurers contend with major shifts in the nature of organizations’ IT systems and the nature of the threats they’re exposed to, and in policyholder expectations. 

[RELATED POST] A Chilling Campfire Tale of Data Extortion (How Data Theft Happens — In Detail)

A Chilling Campfire Tale of Data Extortion (How Data Theft Happens — In Detail)

Welcome to our (cybersecurity) campsite, where even the forest is going digital. We’ve got the essentials: a warm fire, marshmallows to toast, and some very passionate horror enthusiasts. What’s a cool, fall night in the woods without the retelling of a cybersecurity nightmare? This time, we’ll be following a data exfiltration attack at Parakeet Incorporated, a research-driven pharmaceutical company.