We can all agree that more cybersecurity awareness is a good thing. But what happens when it’s time to take action?

Cyber risk is a serious and pervasive issue confronting modern businesses on a daily basis. What they need is direction and support in mitigating risk in an efficient and effective manner.

So, when it comes to cyber risk, businesses need to be Active. In October, we’re exploring how businesses can gain a security advantage over threat actors through a deeper understanding of the most common and highly exploitable cybersecurity weaknesses.

How to Use Actionable Security Insights

Cybersecurity starts with risk assessment. Cyber insurers should be scanning the perimeter of a business’ network for weaknesses. If the scan finds an exposure that’s likely to be targeted by an attacker, it gets flagged. At Coalition, we call these flags Critical Security Findings.

Critical Security Findings are essential because they:

1. Indicate a greater chance of experiencing an attack.

2. Can disrupt the insurance-buying and renewal process.

3. Require prompt action from businesses to resolve.

Awareness of these exposures is valuable, but how can you actually put this information into action?

We asked security experts at Coalition to shed some light on three of the most common Critical Security Findings. They shared their perspectives on why the exposures are so prolific and provided clear, actionable recommendations on how businesses can mitigate these cyber risks.

Remote Desktop Protocol

Distributed workforces often require remote access to systems within a company’s network.

But if the wrong technology is used or if it’s improperly secured — as is often the case with Remote Desktop Protocol (RDP) — a business is more likely to experience a cyber attack.

“Threat actors gravitate toward RDP because it’s popular, easily discoverable over the internet, and vulnerable to brute force attacks,” said Tiago Henriques, VP of Security Research at Coalition. “RDP is the leading attack vector that attackers are scanning for and actively looking to exploit.”

A Critical Security Finding related to Remote Desktop Protocol (RDP), along with RDWeb and RDGateway, indicates access is exposed, accessible, and vulnerable to the public internet. So what should a business do if they receive a security alert about RDP?

“Businesses can still use RDP if it’s removed from the internet. They can also consider switching to a virtual private network (VPN) with multi-factor authentication,” Henriques said. “If they’re pursuing a longer-term solution, businesses should explore identity and access management solutions, security access edge solutions, or zero-trust access.”

“Threat actors gravitate toward RDP because it’s popular, easily discoverable over the internet, and vulnerable to brute force attacks. RDP is the leading attack vector that attackers are scanning for and actively looking to exploit.” — Tiago Henriques, VP of Security Research at Coalition.

Microsoft Exchange Server

Email is essential for modern businesses, but using a physical server to host Microsoft Exchange for email and calendar tools can increase the likelihood of a cyber attack.

“In recent years, we’ve seen a steady stream of new vulnerabilities that allow attackers to bypass Microsoft Exchange login controls,” said Joe Toomey, Head of Security Engineering at Coalition. “This is a huge problem not only because it allows for compromise of the email system, but also because it enables threat actors to take over a network, gain access to sensitive systems, and steal data or infect a network with ransomware.”

A Critical Security Finding related to Microsoft Exchange indicates that at least one login panel is exposed to the public internet. Even with basic authentication disabled, this technology creates an enticing opportunity for attackers — so what can businesses do about remediation?

“Much like RDP, Exchange login panels should be removed from the public internet,” said Toomey. “There are many ways to accomplish this access restriction, including implementing zero trust, a VPN, or an application proxy.”

Exposed Admin Panels

Admin panels are a convenient way to give IT professionals access to manage and support systems remotely. However, if the panels are discoverable over the public web, whether intentional or not, it makes a business an easy target for cybercriminals."

“Exposing admin panels to the internet is like a business leaving its door unlocked,” said Henriques. “We see threat groups scanning the internet for these weaknesses on a regular basis.”

A Critical Security Finding related to restricting access to Exposed Risky Panels indicates that at least one admin panel is accessible over the web, potentially exposing sensitive systems or enabling attackers to gain administrative privileges. Without ongoing monitoring, IT teams may struggle to keep up with web-accessible admin panels and the ongoing risk they present.

“To limit this exposure, businesses should take steps to ensure admin panels are not discoverable or accessible over the public internet,” said Henriques. “They can restrict access to only the internal corporate network, use a proxy to limit discoverability, or implement a zero-trust solution that validates identity and provides the minimum level of access required.”

Leveraging expertise with the Security Support Center

So what happens when a policyholder receives an alert about a Critical Security Finding?

Policyholders are encouraged to use Coalition Control™ to manage alerts and exposures. The platform provides deeper explanations and recommendations on remediation, but we also have an experienced team of technical experts in our Security Support Center who are on-call to help businesses swiftly resolve issues.

“Our team can accommodate most situations,” said Ryan Gregory, Security Support Center Lead at Coalition. “We’re happy to interface directly with businesses and handle technical conversations on the broker’s behalf. We can also connect directly with brokers and be a resource if they have questions about contingencies or remediation. Our goal is to be adaptable and ensure security alerts are addressed quickly and properly.”

Security alerts are how we warn policyholders about new cyber threats — and those who heed our warnings are typically more secure. Policyholders with one unresolved Critical Security Finding were 33% more likely to experience a claim than those who resolved it.

Coalition gives brokers and policyholders actionable support when they need it most. For questions or concerns that emerge during their policy period, log in to Coalition Control™ or email the Security Support Center.

This article originally appeared in the October 2023 edition of the Cyber Savvy Broker Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information. Copyright © 2023. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.