Mon, Nov 22, 2021

10 Essential Cyber Security Controls for Increased Resilience and Better Insurance Coverage

While threat actors continue to vary attack methods, these 10 essential cyber security controls can significantly improve your security posture, therefore making it harder for cybercriminals to compromise your network and increasing your opportunities for cyber insurance coverage. Validated by our seasoned cyber security experts based on frontline expertise and with a thorough review of the expanded questionnaires now requested by most cyber insurance carriers, this session presents key takeaways for each of the controls and their real-life effectiveness.

Watch the Webcast Replay

10 Essential Cyber Security Controls for Increased Resilience and Better Insurance Coverage

This webcast covers:

  • Why these 10 controls are essential
  • Types of attacks these 10 security controls help mitigate
  • How cyber criminals leverage weaknesses in the 10 essential controls to deploy ransomware
  • Real life case studies of incidents against organizations with weak essential controls and how they compare against more resilient organizations
  • What cyber insurance carriers are looking for in order to underwrite or renew policies
 

Speakers

  • Mari DeGrazia, Associate Managing Director, Cyber Risk, Kroll
  • Elizabeth Dill, Partner, Mullen Coughlin
  • Jeff Macko, Associate Managing Director, Cyber Risk, Kroll
  • Peter McKeever, Assistant VP, US & Canada Cyber Practice, Marsh
 

Download Webcast Slides 

Notable Passages From the Presentation

On the 10 Essential Controls

Ransomware is an endemic problem everywhere right now for many, many companies. And if you're not protecting yourself correctly, you're not going to be in a position to be able to get the insurance coverage that you need. And you're most likely going to be in a situation where you have a security incident down the road. – Jeff Macko

Cyber security is a holistic approach and these are 10 that I think we sort of see as the most impactful. Again, I think there's nuances to each of them. Each of them varies in importance based on your industry class, what you're doing and how you're calibrating that individual control. – Peter Mckeever

These are the ones that we see regulatory authorities asking about the most when we have to report an incident to one of them. They're becoming routine questions from the follow-up inquiries, regulatory authorities, and are much more specific. There are a number of states that have, in varying forms, information security standards that require reasonable and appropriate safeguards to be put in place to protect personal information and things like multifactor authentication. Things like having an effective incident response plan. Those are considered industry standard these days. – Elizabeth Dill

On Multifactor Authentication (MFA)

Something that I see happens a lot is an organization will say, oh, we have multifactor authentication, but we only have it for this subset of users. And they don't push it out across the board, or they forget to put users in the correct groups to enforce this. So, they think that they have it pushed out to everybody, but there's a handful of people where it just wasn’t implemented quite correctly. And the attackers are very good at knowing about these weaknesses and finding those accounts… – Mari DeGrazia

They’ll say, well, we've got MFA on our email and we've got MFA on our VPN. And then we'll ask the question. Well, do you have MFA on Slack? And they'll be like, no, they don't have MFA on Slack. Can a user go into Slack and talk to their IT team? Probably. So, as testers from our side, we impersonate a user, go into Slack, talk to the IT team and tell them I've lost my phone and I need to get you to reset my MFA token. Can you do that for me? And then we reset it. And now we're in a situation where we can bypass their MFA. – Jeff Macko

Proper configuration is very important. Two years ago, MFA was a much better deterrent than it is now, in that attackers are recognizing that some companies are employing MFA, but they're exploiting vulnerabilities in the way that it's configured. So, understanding the configuration options and making sure that they are applied appropriately is now very, very important. – Elizabeth Dill

On Virtual Private Network (VPN)

The idea of being a secure gateway to access company data, where users can be authenticated, so, that the computer connecting to your company network, is a computer that's authorized to be on that company network. What we've seen in the news is a lot of the VPN vendors have not done a great job in maintaining the operating system or making sure that their clients understand the vulnerabilities and the VPN server itself. And I think this comes back to some of the patching for orgs, where many organizations are really good at patching windows desktops or patching their servers, but often some of the networking devices get left out from that patch rotation and VPN servers have been one of those issues that have come up of late. 
– Jeff Macko

What's the make, model and version? And then we go look to see what the latest exploits are on it. And so many times when we're doing our investigation and we look at the IP addresses and the IP address range where the attacker comes from, it goes back to the VPN. So, like you mentioned, Jeff, the patching on it is so critical, because usually within days of an exploit being published, it's already being done out in the wild and that's how the attackers are getting in. – Mari DeGrazia

On Remote Desktop Protocol (RDP)

Many companies need remote access to their servers. This can happen inside the company where an administrator might be on a laptop or a desktop, and they need to administer the file server. And one of the ways for them to do that is with RDP, which is a protocol that lets them see a view of the remote server. – Jeff Macko

Internet exposed RDP is just a bad idea, primarily because many companies configure that host so that any employee can log into it. And that often means that an attacker who's sending passwords against usernames and passwords at random against that host, will eventually find a way to log into that RDP server. – Jeff Macko

When I'm scoping a case and talking to the client, that is one of the first questions I ask. Do you have RDP? Do you have MFA on it? And if the answer is, yes, we have RDP, no MFA. That is the first system I am taking a look at. And usually within a matter of minutes, we can let them know that's how the attacker got in. So, I would say this is definitely one of those low hanging fruits that could easily stop the majority of ransomware attacks right here. – Mari DeGrazia

They're going to consider all these top controls, but what they're going to look at is where are the losses on our book coming from? And certainly, focused on RDP as that's driving the majority of ransomware losses. – Peter Mckeever

On Endpoint Detection and Response (EDR)

The correct state of the art nowadays is looking at a product that they typically call endpoint detection and response. And the difference on that compared to antivirus is antivirus tends to find known badness, things that are already known in the industry to be malicious or possibly malicious. – Jeff Macko

It's the moat around the castle. It provides part of the solution, but not the entire solution. I mean, it's already exploded in the last year with all the third-party vendors getting involved here, but the utilization of artificial intelligence going forward, we’re very interested to see where this space is going to go and how it's going to help our clients from a cybersecurity perspective. – Peter Mckeever

Whatever can be used for good can also be used for evil. So, we see a lot of the things that attackers do will mimic what system administrators do, with maybe just a slight variation on it. – Mari DeGrazia

Antivirus may pick up the deployment of the actual executable that's causing the shutdown, but it could have been detected so much earlier. And the effect could have been so much more limited if you had a program in place that detects any anomalous behavior and brings it to the attention of a person who can ….take preventative action. – Elizabeth Dill

On Incident Response Planning

If you don't have a plan, you're planning to fail. – Jeff Macko

The first 12 to 24 hours are some of the most crucial. And if people don't know what they're supposed to be doing in those 12 to 24 to 48 hours, then everyone does their own thing and the response isn't coordinated. People say and do things that they shouldn't do that would be unadvisable from a legal standpoint, from a forensic standpoint, from an insurance standpoint. You are potentially exposing yourself to additional communications issues that could have been avoided. – Elizabeth Dill

On Infrastructure and Segmentation

It is a simple way to contain an incident. The idea being that your network is broken down into smaller chunks. – Jeff Macko

So many times we would see a compromise that would happen within the corporate environment. And then they would move laterally right into the environment where they're processing credit card data and start exfiltrating out and scraping credit card data from there. And if it had been properly segmented, that whole situation would've been avoided. – Mari DeGrazia

On Backups

You need to have backups of the critical data. You need to think about how long it's going to take to restore the data. But the add that we have with ransomware is you need to think about where you're storing your data and who has access to the data. In a ransomware situation, the attacker's goal is to become one of your sysadmins. One of those IT people that you trust with all of the data that have the most access to your company, as well has access to where the backups are stored. – Jeff Macko

Testing to make sure that all of these controls are working is important, but as part of an incident response plan and an incident response process, it's really important for an organization to understand, alright, well, we've got backups and we have offline backups, but how long is it going to take you to restore from those backups? And so, organizations, even though they have these backups, they haven't tested the system that they would use to restore from backup in an efficient manner. – Elizabeth Dill

On Access Control

Every org should be auditing their users if they don't have some automated system. Large orgs will have their payroll system linked to their account creation. If you're a small org and you don't have that level of automation yet, every six months HR should be sending a list over to IT of all the employees and somebody should be verifying all of these employees are still employees and should have these accounts. – Jeff Macko

On Security Culture

Almost every incident that's happened, started with one of your administrative staff likely going, hmm, that's kind of funny. And I haven't seen that before. And then quickly somebody figures out, oh, this is not something we need to be involved with. Oh, it's really bad. Having that level of communication and your help desk should welcome any employee who wants to report a message that may be malicious and doesn't look right. – Jeff Macko

On Email Hygiene

Train the employees to sort of identify and report phishing. I would suggest highly that companies test their employees on this. There are plenty of services out there that will send sample phishing email messages to your employees and ask them to click, oh yeah, you failed and here are the ways that you should have known this was a phish. – Jeff Macko



Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.


Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Managed Security Services

World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.

Data Breach Notification Letters

Kroll will work with your team to implement a personalized, plain-language notification letter that provides pertinent information and maintains message control.