7 Cybersecurity Practices Your IT Managed Service Provider Should Be Addressing

Posted on February 26, 2021 by Marijana Dabic

Targeted ransomware attacks against IT managed service providers (MSPs) are on the rise with potentially catastrophic implications for both the MSP and the customers who depend on them.

Both the frequency of attacks and the associated ransom demands are climbing, not to mention the reputational impact and potential litigation the MSP may face from disgruntled customers who are unable to access their network.

CFC put together the following basic best practices that MSPs should be putting front of mind to protect themselves, and by extension, their customers:

MFA for MSPs, please
It’s crucial that MSPs implement advanced multi-factor authentication (MFA) on all applications to reduce the risk of a malicious third-party intrusion. This process is used to ensure that a person is who they say they are by requiring a minimum of two pieces of unique data that corroborates their identity. This unique data comes in three forms – something you know (i.e. your password), something that you have (i.e. a one-time passcode generated by an app or hardware token), or something you are (i.e. fingerprint, retinal pattern, voice signature or facial recognition). A significant number of cyber incidents could be avoided simply by implementing advanced MFA. Find out more.
Password123 really is as easy as ABC
Simple and commonly used passwords enable intruders to easily gain access and control of a computer, whether they are taking advantage of unchanged default settings or running brute force attacks. It may sound simple, but strong, long, unique passwords that are changed regularly are a must for all MSP employees. Keeping track of passwords can be difficult – one little trick is to use sentences as passwords, but you can also use one of a number of handy and affordable password managers on the market.
Whoa! Back it up!
MSPs should not only be doing regular backups of their data, but ensuring that those backups are bulletproof. This means storing these outside the network and offsite and testing them regularly. To find out how failed backups affected one of the technology firms CFC insures, check out this cyber claims case study.
Responsibility for cybersecurity
Given the potential widespread impact of a breach emanating from an MSP, every MSP should have a written cybersecurity program with a person assigned a role as a cybersecurity officer who has relevant experience and qualifications. Cybersecurity should not be considered an afterthought or an upsell – it should be a number one priority for all MSPs, with someone internally designated to lead the charge on cyber protection and risk mitigation.
Know your client
Sales are one thing but are you aware of what your client’s expectations and needs are? Different industry segments have vastly different requirements – including uptime requirements and backup frequency. Taking on clients and treating them all equally without understanding their specific requirements can have disastrous consequences in the event of a cyber event. Clients in the healthcare, legal and financial sectors, for example, hold and rely on a lot of sensitive information and thus should be treated differently. A significant outage from a cyber event can be disastrous for them – and in turn for the MSP too!
Know your vendor
Even if an MSP has the most robust security program possible, their data is only as secure as the weakest vendor that has access to their data. It is therefore critical that all MSPs have a vendor due diligence program to ensure their cybersecurity practices meet minimum standards. This is crucial in mitigating and avoiding threats.
Know your weaknesses
It might sound obvious, but all MSPs should implement an effective vulnerability management program which identifies and remediates security vulnerabilities in software. Vulnerability management is not just about patching (though very important!) but about making informed decisions and properly prioritizing the most serious security vulnerabilities first.

Source: www.cfcunderwriting.com

What Makes Up a Cyber Policy

Posted on January 28, 2021 by Marijana Dabic

Cyber insurance policies tend to be modular in nature, meaning that they consist of a variety of different coverage areas. For many, that has led to confusion around how exactly this cover fits together to create a uniform whole.

To help explain this further, CFC has dissected their cyber policy section by section to show how each part of this body of coverage functions. Check it out below or download it to be able to adjust the document size or to share with your clients.

Source: www.cfcunderwriting.com

Securing the Remote Desktop Protocol

Posted on December 30, 2020 by Marijana Dabic

With more and more cyber incidents stemming from vulnerable RDP ports, CFC’s Incident Response Team has provided some more information about this technology and steps that businesses can take to protect themselves.

What is Remote Desktop Protocol (RDP)?

RDP is a proprietary Microsoft protocol that allows a user to access their desktop and computing resources remotely from another computer. It is also sometimes referred to as Terminal Services.

Why is RDP vulnerable?

The presence of RDP being available over the internet can be easily detected by people scanning the entire internet. Cyber criminals routinely attack computers and servers where RDP is accessible in order to install malware such as ransomware, or to use the computer as a staging post for other attacks.

They attack RDP in various ways such as brute-forcing their way into the network by trying millions of different passwords that have been exposed in previous breaches, or by using compromised passwords from phishing attacks against the company. RDP is also subject to several software vulnerabilities that if left unpatched can allow an attacker access into your computer network.

Suggested steps to protect your network

Turn off Remote Desktop access if it is not necessary. If necessary, secure it behind a VPN and/or multi-factor authentication. This is often best achieved by using an RDP Gateway server in conjunction with a firewall.
Use strong, unique passwords throughout your network. The UK’s National Cyber Security Centre has excellent guidance on modern password policies available at https://www.ncsc.gov.uk/collection/passwords/updating-your-approach.
Keep your operating system updated. Several well-documented and routinely abused vulnerabilities exist in RDP, and new software vulnerabilities are found all the time so patching them in a timely manner is vital. Where the server is running an outdated version of the Windows operating system (such as Server 2008 or Windows XP) look to upgrade the software to a more modern version currently receiving security patches.
Limit the number of failed logon attempts before timing out to a number suitable to your organization. This makes systems significantly more resilient against brute-force attempts to guess user passwords. You can also disable the built-in Administrator account on Windows servers and/or rename it to something else, as that is the most commonly guessed username.

Source: www.cfcunderwriting.com

Nursing Home Faces Huge Financial Loss from Social Engineering

Posted on November 26, 2020 by Marijana Dabic

Social engineering involves the use of deception to manipulate individuals into carrying out an act, such as transferring money, handing over confidential information, or clicking on a malicious link, and it’s causing serious financial harm to organizations around the world.

Any organization that transfers funds electronically can be susceptible to social engineering attacks, and entities operating in the care sector are no exception to this. Many care homes not only receive funds electronically in the form of payments from residents and their families or funding from government bodies, but they also disburse large amounts of money in the form of payments to members of staff and to third party suppliers and contractors. All these transactions make for a tempting target for cybercriminals, who are constantly on the lookout for opportunities to intercept fund transfers and divert them to fraudulent accounts.

One of CFC policyholders affected by such a loss was a company providing assisted living facilities for elderly residents across three sites.

In this case, the care home was the victim of what is sometimes known as “CEO fraud”. CEO fraud typically describes a situation in which a fraudster impersonates the CEO or another senior executive of an organization and instructs an employee to make an urgent payment to a fraudulent account for a particular reason.

Password protection problems

In this instance, the fraud appears to have stemmed from a targeted brute force attack on the care home’s CEO’s business email account. A brute force attack is where a hacker uses a computer program to crack passwords by trying numerous possible password combinations in rapid succession, with the program typically trying a long list of the most commonly used passwords. The longer and more complex the password, the more difficult and time consuming it is for the program to crack.

Unfortunately, the CEO’s email account did not have a strong password in place. With the password lacking in both length and complexity, the program was able to crack it. To make matters worse, the care home did not have multi-factor authentication enabled for remote access to email accounts, meaning that as soon as the CEO’s password was cracked, the hacker was able to gain access to his account without having to go through a second verification procedure, such as inputting verification code or number.

Having gained access to the CEO’s email account, the fraudster was able to spend time perusing the CEO’s inbox and outbox, gathering valuable information about how wire transfers were processed at the company as well as establishing the working relationship that the CEO had with members of the care home’s finance team. What’s more, the fraudster was also able to access the CEO’s calendar and establish what the CEO would be doing on any given day.

Having worked out the CEO’s schedule from his calendar, the fraudster waited until the CEO was on holiday. With the CEO not on site at the care home and with reduced chances of the scam being uncovered, the fraudster chose this moment to strike.

The first step was to send an email impersonating the CEO to a member of the care home’s finance team. The fraudster used a method known as email spoofing, which is when someone sends an email from one email address but labels it as being sent from a different address. Fraudsters use programs or websites which enable them to make an email look as though it has come from a legitimate email address, as well as allowing them to alter the address that the recipient responds to. The fraudster sent an email that appeared to come from the genuine email address of the care home’s CEO, and any response to the email was sent to a remarkably similar looking email address set up by the fraudster.

So while the emails sent by the fraudster appeared to come from the CEO’s genuine email address of Joe.Bloggs@XYZresidentialcare.com, any response to that email would automatically be sent to Joe.Bloggs@XYZresidentilcare.com, ensuring that the CEO wouldn’t see any response from the member of the finance team to the email and uncover the scam.

The fraudulent email explained that the CEO had received notice of an outstanding payment of $47,584 that needed to be paid urgently to a firm that had supposedly provided some management consultancy work for the care home a few months ago. The email included the account details that the funds needed to be sent to and the fraudster was keen to stress that the payment had to be made the same day.

Fine tuning the scam

The fraudster also added some subtle touches to the email to make it look as authentic as possible. The CEO addressed the member of the finance team using an abbreviated version of her full name, which the fraudster appears to have picked up from viewing previous email correspondence between the CEO and this member of the finance team. The fraudster also mentioned that he was enjoying his holiday and would be busy all day and signed off with the CEO’s genuine email signature.

In normal circumstances, the member of the finance would have confirmed the details of the transfer with the CEO in person. But with the CEO on holiday, and with the email appearing to come from the correct address, along with the use of her nickname and a genuine email signature, the employee assumed that the request was genuine. Not wanting to disturb the CEO while on holiday and conscious that the payment was urgent, the employee paid the funds into the account and sent an email confirming this to the account run by the fraudster.

Seeing that the initial ruse had worked, the fraudster sent a similar email the following day, this time requesting a payment be made for $39,731 to another account. The employee arranged the payment once more, meaning that some $87,315 in total was transferred to accounts controlled by the fraudster.

The scam was only discovered a week later when the CEO returned to the office and the payments were brought up in conversation. The care home reported the incident to local law enforcement and tried to get the recipient banks to recover the funds, but most of the money had been withdrawn from the accounts. One of the banks was able to recover a meager $600, leaving the care home $86,715 out of pocket. Fortunately, the care home had purchased cybercrime cover on their cyber policy with CFC and were able to recover most of the loss.

The key driver for cyber claims? Human error

This claim firstly illustrates how CEOs and senior executives are prime targets for cybercriminals. These individuals usually act as the face of their companies and tend to have bigger profiles on company websites and social media accounts, allowing cybercriminals to gather valuable information about them. In addition, cybercriminals know that employees are instinctively less likely to question instructions from CEOs and other senior executives. Individuals in leadership roles need to be especially conscious of sticking to good cybersecurity practices, such as having good password management in place. Likewise, employees need to be alert to suspicious emails from senior executives, particularly in instances where an urgent payment request is made, and have robust callback and authentication procedures in place.

Finally, this claim also discredits one of the most common objections to cyber insurance: namely that by investing in IT security, organizations have no need for cyber insurance. But most cyber incidents are a result of human error. With increasingly sophisticated attacks like this on the rise, it makes it very difficult for employees to tell the difference between a real email and a fake one. Furthermore, with more and more financial transactions being carried out electronically, the number of opportunities for cybercriminals to steal these funds has never been greater. Having good training and authentication procedures can certainly help reduce the risk of an event like this, but it’s impossible for any business to be completely impervious to attacks. This is why cyber insurance should be a part of any prudent organization’s risk management program, acting as a valuable safety net should the worst happen.

Source: www.cfcunderwriting.com

Product Recall Insurance

Posted on October 27, 2020 by Marijana Dabic

Product recall insurance helps safeguard a business from the financial impact of a recall, specifically the first and third-party costs associated with identifying and addressing the issue, conducting the recall and keeping the business operational.

When considering product recall insurance, it’s important to remember that the cost of a recall includes much more than the cost of getting the goods off shelves or back from customers.

Recalls of any kind can impact cash flow, squeezing a company’s ability to pay staff, purchase raw materials or even continue production. For some businesses, a product recall can present a true crisis.

For more information about CFC’s product recall policy click here to download the full infographic below.

Source: www.cfcunderwriting.com