16 September 2020
Lauren Winchester

Who’s afraid of RDP? How insurance helps squash the #1 ransomware risk

Even at organizations where IT teams are proactive in patching software and protecting systems, things slip through the cracks.

Teams of security experts work nonstop to identify and publicise software vulnerabilities and other possible security weaknesses, hoping to beat cybercriminals to the punch. 

Yet once found, the issues they discover can persist on systems around the world for months or years. Even at organizations where IT teams are proactive in patching software and protecting systems, things slip through the cracks. This is problematic for everyone: the organizations, their customers and vendors, cyber insurers, and insurance brokers trying to help their clients stay safe.

RDP takes the cake 

Persistence is the rule with RDP. As we’ve discussed before, remote desktop protocol ports, when left unsecured and open to the internet, are a well-known soft spot for attackers. Yet years after exploits began, enough opportunities persist for attackers to have made it the #1 vector for ransomware attacks amid the current ransomware wave — which began in 2017, exploded in 2019, and continues today. RDP is now the conduit for the majority of ransomware attacks, easily beating out better-known “social engineering” attack vectors like phishing. 

Facing this singular threat, cyber insurers have been forced to implement stricter guidelines around underwriting to deal with the slew of claims resulting from ransomware attacks traced back to RDP vulnerabilities. The way some insurers, like Corvus, uncover this risk can be helpful for prospective policyholders — even those who don’t end up buying a policy. 

How we keep up with the criminals

Security gaps like RDP ports are found so frequently in part because of the size and complexity of modern IT systems. Just one lonely server with an unsecured port among dozens, hundreds or thousands is potentially enough to let an attacker into the network — a needle in a haystack. Being able to scan specifically for major threats is powerful, especially for companies with small or overly taxed IT departments. 

In the latest update to the Corvus Scan, we’ve upgraded our dynamic vulnerability alerts, a feature we’ve been rolling out to our brokers and policyholders over the past few months.

Brokers working with Corvus are notified any time a vulnerability like RDP is found on one of their clients. They can also sign up their clients or agents they work with to receive the same alerts in real time. 

Our alerts include those for BlueKeep, a specific software vulnerability that enables the exploit of RDP, as well as for the general risk of an open RDP port. We’ve sent hundreds of alerts for these vulnerabilities to date. 

We’ll soon be releasing alerts for longstanding vulnerabilities like Server Message Block (SMB) and Telnet, as well as any new and urgent vulnerabilities that rise to prominence among cyber criminals, like RDP has. 

Do clients respond? 

Yes – and positively. The majority of alerted organizations took action on the basis of an alert and all of those who responded did so favorably. They closed down ports with RDP that were no longer necessary, moved needed ports behind a VPN, or otherwise secured access. This not only helps those organizations mitigate risk; it also helps make the web safer for everyone by reducing the overall supply of easy credentials for criminals, making their job harder and more expensive. 

Oftentimes an alert is unnecessary because it’s caught up front. Our automated scan locates threats like unprotected RDP upon quoting for new business and we notify the broker and policyholder. Since implementing RDP alerts and pre-bind checks, we’ve seen a dramatic  decrease in ransomware claims for the new policyholders impacted, something we will cover in greater detail in an upcoming report. 

The value opportunity for brokers

Security scanning and alerting tech offers brokers an opportunity to bring value to clients in two ways: helping identify present threats at the point of purchase, and the peace of mind knowing that throughout the policy year, any significant new threats will be brought to their attention. Oh, and, the coverage is great too. 

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video