By Stephane Konarkowski, security consultant at Outpost24
With reports of American insurance giant AJG suffering a data breach after a ransomware attack, the number of notable security incidents impacting insurance providers has increased since the turn of the year. The attack on AJG is another big insurance name to suffer a cyberattack and joins fellow US insurance provider, CNA Financial, which was forced to pay $40m to hackers to regain network control after a cyberattack. On the other side of the Atlantic, French multinational insurance provider, AXA, recently had a 3TB sensitive data leak after suffering a ransomware attack which severely impacted its operations in Southeast Asia. It’s clear the number of attacks against financial organisations, specifically insurance providers, are increasing and this is presenting significant dangers to them and their customers.
Having continuous visibility into the attack surface has always been a key part of an organisation's security baseline. However, very often insurance providers are in the dark about how many publicly exposed web apps they have and vulnerabilities they may expose, which can then impact the overall security posture.
In an attempt to shed some light on where insurance providers are going wrong a recent Outpost24 report revealed that Europe’s top insurance providers all have security weaknesses within their web application architecture. By evaluating the internet-facing web applications, the report highlights the risks that exposed web applications and associated vulnerabilities pose to insurers.
The research uncovered that the top European insurers run over 7,600 internet-exposed web applications with more than 1,920 domains. It also disclosed that almost 3% of the domains are considered suspicious e.g testing environments that may have access to other database. In addition, nearly 23% - or one in four - of the insurance providers' applications identified used old components that contain already-known vulnerabilities that are easy to exploit.
Web application attacks are a primary vector for today’s cyber criminals and should not be overlooked by security professionals. They are viewed as the front door (and potential back door) into a business network, where today’s advanced criminals can lie dormant and undetected before exploiting the systems and exfiltrating data. Given the vast amounts of personal data insurance companies hold about their customers and policy holders, this can be extremely dangerous for all those associated with the insurer.
To help insurance providers and their security teams focus their attention on the common weak spots within their web application architecture and securing them with the correct security controls, the following 3 attack vectors (from the seven common web app attack vectors threat actors use to carry out reconnaissance) were identified as the most hazardous in this sector:
Page Creation Method - This concerns with the code the web app has been developed in. Developing web apps with insecure code or outdated software increases the risks of potential vulnerabilities for hackers to exploit. It’s important security professionals and developers work together to locate application weakness like this early in the DevOps cycle.
Degree of Distribution - Insurance apps are likely to have many pages due to the volume of products and policies on offer. However, this directly increases the attack surface as the more pages there are, the harder it is to keep on top of the security hygiene of every single page on every domain.
Active Contents - When an application runs scripts, the content becomes active and depending on the way those scripts have been implemented, the attack surface could increase if a website has been developed using vulnerable active content technologies. Although scripts are great in providing a better customer experience, It’s easy for hackers to use script files to carry out an attack on PowerShell, JavaScript, HTA, and VBS and launch malware
It was also highlighted that several other security and compliance issues as basic SSL, cookie consent, and privacy policy defects persist. In fact, 23% of insurers are using old components such as jQuery in their applications. That’s an average of 143 outdated components in use per insurance company! The impact of this is serious as most of these components contain known vulnerabilities that could lead to SQL injection, Cross-Site Scripting and security misconfiguration exploits.
Having poor cyber hygiene in this digital age is unacceptable but, as many of these insurers offer cybersecurity insurance premiums, they should be at the forefront when it comes to displaying best practices and reducing risk.
Meeting the security challenge
Following on from the research findings and the recent attacks against insurance providers, it's evident insurance providers are challenged to meet the standards of modern cybersecurity. There is a growing complexity of modern-day insurance applications which can make it difficult for security teams to focus and prioritise their security controls and remediation efforts.
Knowing that they are more susceptible to being attacked, insurance providers must examining their application attack surface continuously. Preventing attacks from potential backdoor access should be their top priority, especially against the most notorious and common attack vectors revealed in this report.
With cyber threats mounting and customer data at risk, insurance providers must take a proactive view of their internet facing applications with continuous attack surface management. It has become important for all insurance providers to understand what applications they own that could be visible and exploitable by threat actors. Having a full view of the attack surface is the only way insurance providers can prioritize resource and budget for effective remediation and reduce their risk exposure in a meaningful way.