Below are select highlights from the list of software vulnerabilities that the Corvus team has responded to recently. Keep scrolling to see the timeline of one of these responses to see how we reach the right policyholders with key information — quickly — when we detect a new vulnerability on their system.
Mitel, a telecommunications company that provides business phone systems, issued a security advisory for critical vulnerability, CVE-2022-29499 (present in their Mitel Service Appliance component of MiVoice Connect). The vulnerability allows for remote code execution. Learn more.
How Corvus Alerts Work
VPN Vulnerability - October 2022
Our Risk + Response team has developed a holistic approach including continual risk assessment, proactive risk management, and rapid response. A key fixture of our outreach are vulnerability alert emails, sent in response to critical security advisories. On average, we find that policyholders who receive Corvus Alerts patch their systems three times faster than organizations who don't receive a notification.
Who do we alert, why does it matter, and how do we stay ahead of threat actors? Scroll down to follow the timeline of one event from the discovery of a vulnerability to the alert landing in a policyholder’s inbox.
The Vulnerability is Discovered
On Friday, October 7th, 2022, a major VPN provider sent an email to select customers about a critical vulnerability that potentially allowed for authentication bypass in certain versions of the software. The vendor released a security patch and recommended immediate application. It would not issue a public advisory until the following Monday.
Potential Impact Threat actors could leverage this vulnerability to gain access to the firewall and VPN device, which is a common target to ultimately deploy ransomware throughout the environment. This was a “zero-day”: once the word got out, threat actors were armed with the knowledge of how to seek out vulnerable organizations and launch an attack.
Despite the fact that the news was only released to select customers, our team had our ears to the ground and was made aware of the situation. As a first step, our in-house security experts assessed the severity risk. With numerous advisories and rumors surfacing on any given day, prioritization is critical. Using our established criteria, the team determined that the vulnerability’s severity justified a proactive alert to policyholders. Members of the Risk + Response team gathered all known information and compiled it into easy-to-follow instructions that were published by 2:30pm.
The Race to the Inbox (with a leg up from Corvus tech)
With a “zero-day” vulnerability, timely alerts are particularly crucial. But sending alerts that aren’t applicable to a policyholder is a waste of their time and risks making them less responsive to true threats (the proverbial "crying wolf" situation). So a key part of determining our response is finding out how many policyholders use the device, and who they are.
How do we know who to alert? With the proprietary Corvus Scan, the Corvus Data Science team plugs gaps in traditional “off the shelf” IT scans. One feature utilizes keywords to match certain VPNs, enabling our team to identify which of our policyholders were most likely at risk through the use of the affected software.
Within hours of discovering the vulnerability, our team sent an Alert email to the Corvus policyholders who were most likely affected, with clear steps and helpful resources. The team stood by to help any policyholders with questions or clarifications.
These Alerts reached hundreds of potential victims the same day as the initial customer announcement, and preceded the public advisory by more than two days. By patching their systems on average three times faster than a typical organization, we know that our policyholders are much more likely to beat any threat actors' activity to the punch.
Thanks for reading!
Lauren Winchester VP, Risk + Response
Jason Rebholz Chief Information Security Officer
Chris Hedenberg VP, Data Science
Lori Bailey Chief Insurance Officer
Legal Disclaimer: This report is intended for general guidance and information purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. Please consult your broker with respect to the information presented herein.
Corvus Insurance is building a safer world through insurance products and digital tools that reduce risk, increase transparency, and improve resilience for policyholders and program partners. Our market-leading specialty insurance products are enabled by advanced data science and include Smart Cyber Insurance® and Smart Tech E+O™. Our digital platforms and tools enable efficient quoting and binding and proactive risk mitigation. Corvus Insurance offers insurance products in the U.S., Middle East, Europe, Canada, and Australia. Current insurance program partners include AXIS Capital, Crum & Forster, Hudson Insurance Group, certain underwriters at Lloyd’s of London, R&Q Accredited, SiriusPoint, and The Travelers Companies, Inc.
Corvus Insurance, Corvus London Markets, and Corvus Germany are the marketing names used to refer to Corvus Insurance Agency, LLC; Corvus Agency Limited; and Corvus Underwriting GmbH. All entities are subsidiaries of Corvus Insurance Holdings, Inc. Corvus Insurance was founded in 2017 and is headquartered in Boston, Massachusetts with offices across the U.S., in the UK, and Germany. For more information, visit corvusinsurance.com.
Share with others!