Engineering Firm Mitigates Data Risk Found in Security Scan to Obtain Cyber Coverage
After At-Bay’s security team scanned for susceptible ports and servers at an engineering firm, the client was able to take action to tighten their security. The firm addressed insecure WinRM service, out-of-date web servers, and open ISP ports that put them at risk for increased ransomware or phishing threats.
A $75 million engineering firm applied for their first ever cyber policy with At-Bay. Upon external evaluation of their network for risky security practices, our cyber analysts uncovered several vulnerabilities.
To proceed with coverage, At-Bay informed the company of the detected risks, accompanied with insights on how they could immediately address them. Our security team worked alongside the broker, reinforcing the value of holistic risk management to the client who saw a valuable opportunity to improve their risk.
Susceptible Servers and Open Ports can be Targets
This firm had an insecure WinRM (an open port for Windows Remote Protocol) and a susceptible EOL (End of Life) apache web server. External access to these servers could result in data compromise if ports connected to internal data are left open. Their system also had open ISP ports, which are typically indicative of RDP (Remote Desktop Protocol), and SMB (Server Message Block) functions. Both RDP and SMB are remote protocols used by hackers to access private data and infect systems with ransomware.
RDP is currently the most common threat vector for a severe attack. A hacker might not be able to confirm on the surface whether or not the risky protocols are actually running on the back-end, but the existence of the open ISP ports alone could spark their curiosity and land the company on a list of targets. The company also had an invalid SPF record for their primary domain, which hackers look for to spoof email addresses with fraudulent emails which appear as though they are coming from a user at that company.
A Quick Fix to Minimize Risk
The engineering firm investigated the open ISP ports to confirm RDP and SMB were not running and proceeded to close the ports to strengthen the appearance of their security posture. They also identified that their Skype app was running with an open WinRM, which they closed without disrupting functionality. The company successfully closed external access to both susceptible web servers and discontinued the connection to internal data, minimizing the likelihood of a data breach. The client also reviewed possible services hosted on RDP/SMB ports to confirm they were not exposed. Finally, they updated their SPF record to prevent sender address forgery by specifying which mail servers can send from their domain. The entire process was streamlined and simple and left the client feeling empowered to manage future risk.