Join our guests Lauren Winchester and Joel Fuhrman of Corvus Insurance, as they discuss how to approach cyber risk management. They also discuss how Corvus Insurance is working with TMLT to provide security scans of our policyholders’ websites.
Anthony Passalacqua: Hello and welcome to this edition of TMLT’s podcast TrendsMD: Answers for Health Care’s Digital Trends. I'm your host Tony Passalacqua, and today I have special guests Lauren Winchester and Joel Fuhrman from Corvus. I also have Juan from our IT department co-hosting. Our topic today is cyber security.
TMLT is working with Corvus Insurance — an insurance technology firm — to provide our policyholders with more robust cyber risk management. Every TMLT policyholder will have a security scan of their website conducted by Corvus to detect any cyber vulnerabilities. Corvus will then provide each policyholder with their individual report identifying any risks found and how to mitigate them. Reports will be provided on our MyPortal member website for download. If you are a policyholder and want more information about how we are working with Corvus, please contact Customer Service at 1-800-580-8658.
Lauren Winchester, 1:10: Hi, thanks for having us!
Anthony Passalacqua, 1:11: Lauren and Joel, would you guys like to go ahead and introduce yourself to our listeners? Hi, guys.
Lauren Winchester, 1:15: Sure. Hi, everyone, I'm Lauren Winchester, I head up our risk and response services at Corvus Insurance. So, I help policyholders on the front end with risk mitigation solutions, and vulnerability, alerting, and just kind of all things cyber security. And, then I'm available as a resource should there be a potential data breach to help them with incident response. And, my background, I'm a privacy attorney by background but have spent the last seven years in insurance.
Joel Fuhrman, 1:46: And I'm Joel Fuhrman, I am a cyber liability underwriter. I do both our open market products as well as our embedded, what we call reinsurance products, similar to what we did for TMLT. My background, I've been underwriting cyber liability for about 11 years. Now, prior to that I was in a software company; I was doing technical project management. And as part of that, we were securing servers and wireless networks. So that's carried over to what I do now.
Anthony Passalacqua, 2:15: Wonderful, thanks you for those introductions. As Juan and I were looking through all of this information, one of the big things that we were looking into was detection of cyber threats. Juan, you kind of had a really neat statistic that you found.
Juan, 2:28: That was reading a document from Trend Micro, and, you know, last year was a crazy year with the pandemic, and I think all those tricks that, you know, hackers were able to do, I believe it was like 20% - the increase just last year, and I think that was really, really crazy. When I was reading that document, Anthony, I think you and I, we have that discussion. And I was just impressed.
Anthony Passalacqua, 2:51: So, one of the things that we wanted to jump into here with the podcast is, in my head, I break down risk management into two kind of distinct sections - the proactive cyber risk management and then a reactive risk management. And, so one of the biggest things that I think of on the proactive side is how important is it to educate users on cyber risk management?
Joel Fuhrman, 3:16: I can take that one. So, this is really your frontline defense, right? There's so many of these exploits start with phishing, maybe any general user or it could be like a spear phishing campaign to try and get credentials from a privileged user. So, user training is definitely not the “end all be all.” It can't be something that you rely on as your main cyber security defense. But it is your frontline defense. And you know, having folks who are educated on what to look for in those kind of, those phishing campaigns, or sometimes it's even a telephone call, or we’re even seeing now in some of the latest ransomware attacks, where the bad actors are directly contacting employees and offering incentives for them to help. So going back to, you know, when I started doing this, 11 years ago, we talked about the importance of training, and it's still every bit as important today. However, that being said, you do have to assume that you know, regardless of how much training you do, you will have some people that get duped and, you know, click on the link. And it's very important to have defense in depth so you know what happens after that. But I definitely recommend you do the best training and awareness you can do for your users, but also assume that somebody is going to miss that training or, you know, make a mistake.
Lauren Winchester, 4:34: Yeah. And I also say like, there's sometimes can be a level of overconfidence if you're finally getting that great budget for, you know, information security, and you're finally getting some really cool tools in place, that these tools are going to help you identify and prevent attacks. And yes, to some extent, that's true. But what we see, day in day out, is that even with some of the most sophisticated tools in place, a phishing attack was really what started the attack. And, so to Joel's point, there's no replacement for a really robust education program with your employees.
Juan, 5:11: I've been working in IT for a couple of years. And I feel like the biggest issue that I have is that users, like Joel said, people, they just click on links. And I think, to me, it's really important to get them a good education and make them aware. So, I think it's a great, great answer from from you guys.
Joel Fuhrman, 5:28: You know, the time that I've been underwriting cyber, I've heard the best, what we call click rate, so you know, these, like phishing campaigns, and what percentage of the employees actually would click on a link or open an attachment? The best I've heard in my career is 2%. And that was probably one of the most sophisticated, you know, testing campaigns. So, you know, even in the best-case scenario, if you can get to enough people, if you can get to 50 people, chances are one is going to click on, you know, on this malicious attachment or malicious link. So again, we'd like to get 50 out of 50, 49 out of 50 is great. But in the absence of these campaigns, oftentimes, you'll see even as high as 20%, most of the time in double digits without training.
Anthony Passalacqua, 6:13: Well, I know from TMLT’s perspective, we do something called security risk assessments. So just for any of our listeners who are out there that are a physician practice, security risk assessments are used for compliance-based issues. And one of the components that we do dig into, our security, administrative technical features that are built into the security risk assessment itself, as well as privacy. So, if, if you're looking at having really good training, please feel free to contact TMLT’s Cyber Consulting Service Department, and we can set you up with a security risk assessment.
Juan, 6:53: How do hackers get access to computers? Do they have physical access? Do they have like a remote access or how does that work?
Lauren Winchester, 7:02: So many different ways, Juan. I'd say first and foremost is phishing as an attack vector, which we've already mentioned before. But really, that's, that's the main way that we see hackers start to infiltrate an organization is to send phishing emails. They might do a widespread campaign to see how many users they can get. They may not even be targeting that organization initially, they're just casting a wide net. Or, perhaps they are targeting the organization and they're being a little bit more discreet and who they're reaching out to. But either way, they're sending some sort of phishing email. The one goal might be just to get credentials for that user. And so they may send a phishing email that if they see that company is running Microsoft 365, or corporate Gmail, they might send a phishing email that looks to be like Microsoft 365. The user clicks on the link, takes them to a web page that again, looks like 365’s logon page, they put in their credentials, and either nothing happens or maybe it takes them to the real page, and they put their credentials in again. Either way, very challenging for that user to identify what's just happened typically. In my experience, they almost never realized that something went amiss, and that they were at a fraudulent website. On the backend, that threat actor has now gained their username and password and might be logging right back into the email. And then a little bit, we can talk about ways to make sure they can't just turn around and log back in. But this has been a tried-and-true way for threat actors to get credentials in the past couple of years and super easy to accomplish. They might also be using that phishing campaign to try and get users to click on or download malicious software malware in order to, you know, be able to gain access to the system that way. Now, when you do a malicious email like that with an attachment, there's going to be a higher chance that spam filters and email security programs may identify and flag that email and not allow it to go through, which is one of the reasons that they favor those credential emails so much more. But either way, we've seen, we've seen that as an initial attack vector. Some of the other things that we've seen preferred by threat actors have been open ports to assist them specifically open Remote Desktop Protocol ports, and with remote desktop service running behind that. For those less technical, what that means is basically it's a legitimate windows program that allows someone on Computer A to remotely log into Computer B and do work. So, this is especially used in smaller companies who might have outside IT. And not, it's not in and of itself bad. But what's bad is when it's open facing to the internet and scannable by threat actors and not properly protected. So that's another favorite for threat actors. And then I'd say the third is going to be your more traditional software vulnerabilities, particularly unpatched systems, unpatched VPNs, in particular. So, you know, name of the game there is for companies that are not doing robust patch management and not doing that quickly, they can be at risk particularly for software running at their perimeter.
Joel Fuhrman, 10:34: You get a lot of press coverage of like a zero-day vulnerability attacks and that sort of thing. And that's really a very small percentage of the incidents that we actually see, those you know, very sophisticated nation/state kind of things, or where you know, that are the most capable criminal operations out there are aware of a vulnerability that nobody else is, that's really a very kind of fringe case. What we see most often is a known vulnerability that hasn't been patched and it's exploited by the vast majority of folks who are aware of that vulnerability and how to take advantage of it.
Anthony Passalacqua, 11:09: So, those are great answers. So, one of the questions that I always have is as a user, what you sometimes hear is, well, “We have phenomenal security and my firewalls, everything's all set up and so therefore, I don't really have to worry about fishing because we have such robust security systems that will, it'll catch it, right?” I mean, that's sometimes the argument you get. So, with a phishing campaign when you do click on that link what exactly happens?
Lauren Winchester, 11:38: Yeah, you may have a very robust email security program, and perhaps it is catching the super obvious phishing campaigns or the ones that clearly have a malicious payload attached to them. But what we do see is when they just include a link out, that's not always getting caught by the spam filters. And that link itself isn't malicious, it doesn't download anything to the computer, it just takes them to a website where they enter credentials, and the threat actor grabs it. So those tend to evade even the best email security filters that you might have, though not all of them. And don't get me wrong, these tools are very needed, and they cut out a ton of spam. But you have to assume even the best are going to miss things. And even the best will miss some of those malicious payloads as well that are in attachments. Or we've seen, you know, a link out to a nefarious website where the user then downloads from the website, so it didn't get caught up in the email security tool. And instead, it would be more a matter of what sort of controls do you have in place on the user's computer that would prevent them downloading something from the internet?
Anthony Passalacqua, 12:53: That did actually raise two additional questions. We were talking a little bit about the RDP connections. Is there any specific port, if we're running a DLP Report, that a practice should be particularly concerned about like, let's say Port 443?
Lauren Winchester, 13:09: Yeah, great question. So, it’s good to dive into this a little bit, because it is just super easy to secure RDP, and it's just not done. So, what we do when we're scanning and Corvus has its own in-house scan that we use, external facing only, noninvasive, but we're looking for things that threat actors can look for as well. We're looking for weaknesses. And one of the things we're looking for is, can we identify that you have open port 3389. And 3389 is a port that is typically used for RDP or running Remote Desktop service behind it. That's not to say you can't change the port. So other organizations that are trying to obfuscate their RDP use and not make it so obvious for threat actors, they'll change the listening port for RDP and that's one step you can and should take. But, by and large, if we see that you've got an open 3389, we, for the most part, know you're running already RDP behind that or RDS behind that, if you're not securing that with MFA, if you're not putting that behind a VPN so we can't see it, then we know it's definitely vulnerable to some password cracking. And, you know, sometimes we get the question, well, obviously, we don't have it just open, we've got a username and password on it, right? But chances are a threat actor seeing that port with just protected by username and password they’ll be able to crack that, they can brute force that port pretty easily and get in that way. So really, what we're trying to encourage policyholders to do where we see 3389 open, is we give them a couple of steps on how to better secure it either put it behind a VPN, at the very least turn on multifactor for it, change the listening port. But chances are you have ways to properly secure it, or to shut it down if it's not being used.
Joel Fuhrman, 15:09: To quickly add to that, I mean, we're at this point, we're about, you know, year and a half into the pandemic and, there are a lot of folks that had to quickly figure out, you know, how do we work remotely, you know, places that were in office, you know, operations primarily. So, you know, there was a lot of kind of scrambling to get any solution in place that worked. You know, more so than then, you know, really planning for information security, and that, that moment when folks just had to get back to work. Unfortunately, even though you know that it's been a year and a half since that started, we still see you know, so many that were set up with that information security in mind and it's been, it's really made the hackers job a whole lot easier. Now we see, you know, ransomware proliferating the way that it has. It would be great if folks just kind of took those couple steps that are easy to do, you know, in which they could secure, you know, that vulnerability.
Anthony Passalacqua, 16:07: So, the last question I have on this one here, we were talking a little bit about email attachments. And, so one of the interesting things about HIPAA is that it does allow individuals to communicate back and forth via unencrypted email. And, so one of the things that I always think of is, as those attachments are coming in, like let's say, PDF or Word or even an Excel document, is there any security things that you would want to keep in mind, such as, like scanning those documents and attachments beforehand? If so, why?
Lauren Winchester, 16:41: Yeah, so this is where a secure email gateway can certainly come in handy, right? So, something like a Proofpoint or a Mind Cast, when the right controls are turned on within it, and you've got a IT or IS person in your company, or even, you know, a third party doing it for you - monitoring that - you're able to have those attachments scanned quickly or opened in a sandbox when suspicious. And so that can go a long way. Now, again, it's not going to catch everything. But it does really help to have that kind of technology turned on. And, you know, really, it's a matter of your risk tolerance, and just how much you crank it up, right? Because you're always going to have the users complaining that certain things are not coming through. So, it's a delicate balancing act for how much you allow through versus how much you're going to have opened in sandbox, but [it’s] certainly worth the investment to protect your company.
Juan, 17:43: Lauren, you were talking about earlier about like, do you guys do scanning on websites? So can you tell us a little bit more? And how long that it takes to do the scanning that you guys have?
Joel Fuhrman, 17:56: Oh, yeah, I can jump in and take that one. Our scanning technology, in general, it's going to take a matter of a few minutes. Most will run within a few minutes, some of the more complex networks can take a bit longer than that. But essentially, it runs very quickly, the way that we've we've built it, and therefore, you know, we can do it often. And we can use it as a tool in our underwriting process as well.
Juan, 18:23: When you guys run those scans, is it like your website goes down? Or they can look into your website while you guys are running the scan? Or how does that work?
Joel Fuhrman, 18:32: Sure. Yeah, I know, it's not disruptive. The scan is not disruptive. It's not like, like, there's a large, you know, load on the web servers, you know, like when somebody launches, like a distributed denial of service attack or something. This is a very light, you know, pinging of servers that will return information that, you know, that we can use in our analysis. You have to send out vulnerability alerts.
Lauren Winchester, 18:54: Yeah, it's, you know, it's quite likely that the domains, the websites that, you know, all TMLT policyholders are using, all companies are using, are getting scanned regularly by various vendors. It's not slowing down your website activity at all. Again, because it's noninvasive. So, we're kind of, I liken this to a house, right? We're walking down the street, looking at houses, looking at open windows and open doors. We're not trying to walk through them, though.
Juan, 19:28: So, I have another question. So, do you think that hackers do kind of like the same thing, they scan websites just to get to gain access? Because, you know, when hackers are thinking to get into somebody else's website or a computer, they're just trying to gather information and trying to take pieces, and you know, at the end of the day, they're gonna try to solve a puzzle. Do you guys think that hackers can do the same thing like you guys are doing like scanning? Or what is the difference between that?
Lauren Winchester, 19:59: One hundred percent! Except they have a lot less ethics than we do. So, they're walking down the street, looking for open doors and windows, and then jumping on through them. Yeah, they're, they're doing this, right? Because it's good bang for their buck. They can find who seems to be more vulnerable, who's running outdated software, who has known vulnerabilities to them. And they can use their time wisely and target those organizations. So, they don't necessarily care how big or small your organization is, if you have an open door, why wouldn't they walk through and see what they're going to get, right? So, they're absolutely using scans as well. Obviously, not ours, but there are open-source materials out there that they can leverage to do this kind of scanning. And that's why we find it's such a valuable tool for our policyholders, because if we can see it, so can they. It means that quick action is needed. But, you know, I think what you'll also see for threat actors and, not to go too far down the rabbit hole, but particularly for ransomware there's a whole supply chain related to ransomware attacks. And what you'll see are the threat actors that ultimately launched the ransomware attacks and actually launched the malware that's going to encrypt systems, may not have been the ones that actually broke into the system in the first place. And, so there are threat actors that just specialize in breaking into companies from a couple of known vulnerabilities, be it RDP, be it some VPN vulnerabilities. They sit there all day long, and break into companies, gain access, and aggregate that and sell it in bulk to other threat actors in the chain. So, you'll find this hyper specialization of threat actors who have their favorite modes of compromising companies,
Joel Fuhrman, 21:46: I think, you know, a lot of the headline grabbing attacks are, you know, oftentimes they are a targeted attack on one company. You know, somebody will get like colonial pipeline, that's, you know, one of the big ones, where they were specifically trying to get to somebody that is a critical part of the, you know, the supply chain, and then would have a need to, to quickly, you know, essentially pay a ransom to get access to their systems back. But oftentimes, it's just a crime of opportunity. It's really that analogy of walking down the street and seeing open doors and windows, you know. So, I think a lot of people have the kind of misconception that I'm just a small, you know, operation, Joel's Pizza Parlor on the corner, I don't have anything to worry about, really. But, in reality, somebody that has these tools and has the capability to quickly and easily launch an attack, even if they they're not getting a huge sum, like they might ask for like a colonial pipeline, it's still well worth their time to do so.
Juan, 22:43: And I have another question. So, what do you guys think is the best benefit of scanning these websites, but I'm talking about from the ethical standpoint,
Joel Fuhrman, 22:51: All the time, there are new vulnerabilities that are coming out. Every second Tuesday. I think of the month Microsoft does the Patch Tuesday, there are, you know, constantly evolving, you know, new vulnerabilities. And, so with technology like this, even if you think that you've patched against them, this is a good way to make sure that's in place. I've had clients that have specifically run patching that was recommended by Microsoft or some others and thought that they were completely patched against a vulnerability. But when we ran the scan, we found that they weren't. And in one case, it was just the patch didn't run, it didn't take, So, I think being able to get to check your systems regularly to see, are there new vulnerabilities out there? Do we miss anything? Do we, you know, did we try to do this but maybe didn't work? I think that's really a great benefit of the scan.
Anthony Passalacqua, 23:44: Does it scan the actual website directly?
Lauren Winchester, 23:47: Yeah, so that's where we start. So, for Corvus, when we're doing a quote for cyber insurance, the broker is giving us the main website for the company, or the most relevant website, at least for the company. We're not just scanning that one website, what our scan is doing in the background is trying to determine what other domains might be connected to that main domain. So, it's doing a bit of an outward search. And then it's going to dive deeper on each of those to see what sort of IT assets we can see, and what vulnerabilities we can see. Typically, it is finding more than just the main website. Now that said, it's not perfect. And depending on how companies have structured their domains, you know, there might be a more relevant domain that they are intentionally not connecting to their marketing website, which good on them, right? And we might, we may or may not pick that up. So, what's great about what we do is we tend to lean into that and we have calls with policyholders. If they reach out and say, “Hey, within our scan report, we're not sure you're picking up this other domain.” That's actually really relevant to us. And we want to know that that's secure. And we say, “Okay, great.” We look at the underlying data for that particular scan and say, “Nope, you're right, we did not catch that one. Let's run our scan against that one and give you the report.” That kind of interactivity with policyholders can be really great because we learn, they learn. And so, for those that are really leaning into it, we're happy to provide that additional data.
Anthony Passalacqua, 25:25: So, one of the really interesting things that I've actually run into personally is, I've actually helped build one website before but one of the interesting things is, as we were building the website we actually had a malicious actor come in and take over that website. So, one of the interesting things is if you are controlling your own web design, just from your side, one of the big things they told us to do is to add in MFA, which for any listener out there who hasn't heard that term before, it stands for multifactor authentication. So it's a, it's a way of confirming like a PIN or something like that through a secondary, like software program or email, so that they can confirm your identity.
Juan, 26:10: I want to add something here, Tony. I think it's important to forward your cell phone or your apps, like emails or apps that you might be getting to your cell phone. I think it's great to use a multifactor authenticator. There are a bunch of them. I think Google has one, I use that one, I think it's a great idea to have the application.
Lauren Winchester, 26:31: I would MFA my house, if I could. Let me tell you MFA all day, everywhere you can put it. Um, we're getting ahead of ourselves. Because I know we want to talk a little bit about common security controls, but can't say enough. If you can put MFA on it. You should be.
Anthony Passalacqua, 26:48: Agreed. Do you guys have any other kind of like tips and tricks, maybe for a practice to lock down their website? If they're managing it?
Lauren Winchester, 26:56: I think the key is definitely, you know, understanding who has access to their website, right? And so, if that company has direct access into their website, like you said, locking down the credentials so there's also MFA to get into it. But you know, more often than not, companies are also using web developers. So, understanding what the security practices of the web developer are, is also very helpful. And I don't think you need to be super technical in order to ask questions and try and determine their level of sophistication. It's really just about asking what sort of controls are in place. See how they respond. Are they kind of giving you a super surface answer, or very short or quick are starting to sweat when they're, when they're responding to you? Maybe you haven't found the best web developer for your company. Also, just ask, “Are you protecting your credentials, you know, into our website with multifactor authentication?” And see what they say. If they say, “Huh?” that's also a red flag. So, you don't have to be super technical to start to suss out their level of sophistication there. And then what we see is, you know, when we're scanning, we're looking to see what sort of protections are on a given website. A lot of times, we see there's missing HTTP security headers, which indicates to us the web developer didn't put those headers into the code of the website. Super easy to do. Helps prevent domain hijacking and other things. So, you know, again, if they're leveraging scans, whether from us or from other sources that can help kind of highlight some not so best practices within the setup of the website.
Joel Fuhrman, 28:38: I just add to that, beyond even the web hosting company, really anybody that that you're giving access to your network, regardless of their function, that's something that you need to look closely at - their security policies. Also consider what type of access are you giving them? Do they just need it occasionally, can you you know, turn that off and turn it on when it's needed? Does it need to be persistent connection? One of the things that, you know, we've seen with attacks over the past year or so like, it's the most noteworthy one being the cause a breach was, you have bad actors that are specifically looking for these kind of points of aggregation, right? So, if I can get to this web hosting company, and they have persistent access to fifty clients, then I can get to those fifty clients. So, you know, so those are folks that we see truly being targeted. And you know, if you're one of those clients, you need to make sure that they're using at least the, you know, the minimum that controls that, you know, that you're using yourself.
Anthony Passalacqua, 29:40: In part two of our discussion, we’ll look at reactive cyber risk management, and even take a bit of deeper dive into what parts of cyber security our guest speakers find the most intriguing. If you are a TMLT policyholder and need to confirm or update your website information so that Corvus can conduct its security scan of your website, please contact our Customer Service Department at 1-800-580-8658. Thank you to our guests Lauren Winchester and Joel Fuhrman of Corvus Insurance - and thank you for you listening to TrendsMD.