Teams of security experts work nonstop to identify and publicise software vulnerabilities and other possible security weaknesses, hoping to beat cybercriminals to the punch.
Yet once found, the issues they discover can persist on systems around the world for months or years. Even at organizations where IT teams are proactive in patching software and protecting systems, things slip through the cracks. This is problematic for everyone: the organizations, their customers and vendors, cyber insurers, and insurance brokers trying to help their clients stay safe.
RDP takes the cake
Persistence is the rule with RDP. As we’ve discussed before, remote desktop protocol ports, when left unsecured and open to the internet, are a well-known soft spot for attackers. Yet years after exploits began, enough opportunities persist for attackers to have made it the #1 vector for ransomware attacks amid the current ransomware wave — which began in 2017, exploded in 2019, and continues today. RDP is now the conduit for the majority of ransomware attacks, easily beating out better-known “social engineering” attack vectors like phishing.
Facing this singular threat, cyber insurers have been forced to implement stricter guidelines around underwriting to deal with the slew of claims resulting from ransomware attacks traced back to RDP vulnerabilities. The way some insurers, like Corvus, uncover this risk can be helpful for prospective policyholders — even those who don’t end up buying a policy.
How we keep up with the criminals
Security gaps like RDP ports are found so frequently in part because of the size and complexity of modern IT systems. Just one lonely server with an unsecured port among dozens, hundreds or thousands is potentially enough to let an attacker into the network — a needle in a haystack. Being able to scan specifically for major threats is powerful, especially for companies with small or overly taxed IT departments.
In the latest update to the Corvus Scan, we’ve upgraded our dynamic vulnerability alerts, a feature we’ve been rolling out to our brokers and policyholders over the past few months.
Brokers working with Corvus are notified any time a vulnerability like RDP is found on one of their clients. They can also sign up their clients or agents they work with to receive the same alerts in real time.
Our alerts include those for BlueKeep, a specific software vulnerability that enables the exploit of RDP, as well as for the general risk of an open RDP port. We’ve sent hundreds of alerts for these vulnerabilities to date.
We’ll soon be releasing alerts for longstanding vulnerabilities like Server Message Block (SMB) and Telnet, as well as any new and urgent vulnerabilities that rise to prominence among cyber criminals, like RDP has.
Do clients respond?
Yes – and positively. The majority of alerted organizations took action on the basis of an alert and all of those who responded did so favorably. They closed down ports with RDP that were no longer necessary, moved needed ports behind a VPN, or otherwise secured access. This not only helps those organizations mitigate risk; it also helps make the web safer for everyone by reducing the overall supply of easy credentials for criminals, making their job harder and more expensive.
Oftentimes an alert is unnecessary because it’s caught up front. Our automated scan locates threats like unprotected RDP upon quoting for new business and we notify the broker and policyholder. Since implementing RDP alerts and pre-bind checks, we’ve seen a dramatic decrease in ransomware claims for the new policyholders impacted, something we will cover in greater detail in an upcoming report.
The value opportunity for brokers
Security scanning and alerting tech offers brokers an opportunity to bring value to clients in two ways: helping identify present threats at the point of purchase, and the peace of mind knowing that throughout the policy year, any significant new threats will be brought to their attention. Oh, and, the coverage is great too.