#NSBCS.040 - Cyber Insurance: The Importance of Knowing Your DFIR Provider BEFORE a Breach

Cyber Insurance: The Importance of Knowing Your DFIR Provider BEFORE a Breach

In Australia, only 15-20% of SMEs have cyber insurance.

Let that sink in… just one in five businesses have taken steps to protect themselves in the event of a cyber breach.

Cyber insurance offers crucial benefits, from helping businesses understand and improve their current security maturity to being a critical partner when a breach occurs.

Many cyber insurers maintain a panel of Digital Forensic Incident Response (DFIR) providers.

However, how many insured businesses actually know who their DFIR provider is? And, are they aware they can choose their preferred DFIR provider for that critical moment?

Here’s why every business - insured or not - should establish a relationship with a DFIR provider before a breach occurs:

1. Speed of Response: In the moment of a breach, time is of the essence. Having a pre-existing relationship with a DFIR provider ensures that your organisation can quickly mobilise the right experts without delay, rather than scrambling to connect with an unfamiliar provider that you don’t know and that doesn’t know you.

2. Tailored Expertise: Not all DFIR providers are built from the same foundations. By knowing your provider beforehand, you can ensure they possess the specific expertise needed for your industry, systems, and threats. This leads to a more effective and efficient response when every second counts.

3. Trust and Communication: Trust and clear communication are paramount during a crisis, when stress is high and the margin for error is slim. A pre-established relationship with your DFIR team allows for smoother coordination and reduces the risk of miscommunication during an incident.

4. Customised Incident Response Plans: Working with your DFIR provider in advance allows you to develop incident response plans tailored to your organisation’s unique needs. This proactive approach ensures that everyone knows their role and the steps to take, rather than relying on a generic plan that doesn’t align to the moment.

Cyber insurance isn’t like buying car or home insurance. It’s not a set-and-forget strategy. In our increasingly digital world, active time and attention are required to protect your business effectively.

Understanding and maintaining a relationship with your DFIR provider ensures your organisation is better prepared for potential breaches. This proactive engagement allows for a more effective and efficient response, minimising damage and downtime.

For info on NSB Cyber’s Digital Forensics & Incident Response (DFIR) capabilities or to book a meeting with our team, click here.

What we read this week

• ASD Warns of Scammers Posing as the ACSC - The Australian Signals Directorate (ASD) has issued a warning about scammers impersonating the Australian Cyber Security Centre (ACSC) to trick individuals into revealing sensitive information. These scammers are utilising emails recommending readers to click on a link to download antivirus software, however, it is malicious and may lead to malware being downloaded. The public is advised to verify the identity of any unsolicited communications claiming to be from the ACSC.

• Critical Flaw in WPML WordPress Plugin Impacts One Million Websites - A critical remote code execution (RCE) vulnerability was discovered in the WPML WordPress plugin, impacting over one million websites. The flaw is tracked as CVE-2024-6386 with a CVSS score of 9.9, allowing unauthenticated attackers to execute arbitrary code on vulnerable installations, posing a significant security risk. The issue arises from improper input validation, leading to a server-side template injection (SSTI) vulnerability. Exploiting this vulnerability could result in complete website takeovers, data breaches, and unauthorised access to sensitive information.

• Cyber Risk Management is Key to APRA’s 2024-25 Corporate Plan - The Australian Prudential Regulation Authority (APRA) has highlighted improving cyber risk management as a key focus in its 2024-25 Corporate Plan. The plan emphasises strengthening the financial sector's resilience against cyber threats, ensuring that institutions adopt robust cybersecurity practices. APRA is focused on enhancing cyber risk management across the financial sector and to also encourage financial institutions to collaborate with other government agencies, promoting a unified approach.

• Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data - Microsoft patched a critical vulnerability in Copilot Studio that allowed attackers to bypass server-side request forgery (SSRF) protections, exposing sensitive data. Identified as CVE-2024-38206 with a CVSS score of 8.5, the flaw could let authenticated attackers access Microsoft’s internal infrastructure for Copilot Studio, including Instance Metadata Service and Cosmos Database (DB) instances. Exploiting this vulnerability enables the retrieval of access tokens that may compromise internal resources, which could include gaining read and write access to a Cosmos DB instance. Microsoft has since addressed the issue, requiring no user action.

• Microsoft Sway Abused in Massive QR Code Phishing Campaign - A large-scale QR code phishing campaign exploited Microsoft Sway, a cloud-based presentation tool, to create landing pages that deceive Microsoft 365 users into revealing their credentials. Netskope Threat Labs identified the attacks in July 2024, noting a 2,000-fold surge in incidents using Microsoft Sway to host phishing sites targeting Microsoft 365 credentials. Security researchers noted that embedding URLs within images allows phishing emails to bypass scanners that only detect text-based content. When users receive a QR code, they often scan it using another device, such as a mobile phone, which typically lacks the stringent security measures of laptops or desktops. As a result, this makes users more susceptible to phishing attacks when using personal mobile devices.

References
https://www.cyberdaily.au/security/11027-australian-signals-directorate-warns-of-scammers-posing-as-the-acsc    
https://securityaffairs.com/167673/hacking/wpml-wordpress-plugin-rce-1m-websites.html
https://www.cyberdaily.au/security/11018-improving-cyber-risk-management-a-key-part-of-apra-s-2024-25-corporate-plan    
https://thehackernews.com/2024/08/microsoft-patches-critical-copilot.html
https://www.bleepingcomputer.com/news/security/microsoft-sway-abused-in-massive-qr-code-phishing-campaign/