Carrying the BTON into the USA
13 Nov, 2024
Outpost24 releases 2021 Web Applications for Insurers Report
Aviva, Prudential and Allianz amongst European insurers with application security issues
Outpost24, an innovator in identifying and managing cybersecurity exposure, today announced the results of its 2021 Web Application Security for Insurers Report, which analysed the web applications of the top 10 European insurance providers, as listed by ADV Rating. Using their innovative attack surface discovery and assessment tool, Scout, Outpost24 examined the digital footprint of some of the EU’s largest insurers to uncover potential security weaknesses and found that every insurer had some degree of vulnerability in its web application.
The findings revealed that Top EU insurers run a total of 7,611 internet exposed web applications over 1,920 domains, with 3% of them considered suspicious (e.g. testing environments). Furthermore, nearly one in four (23%) of the applications identified are found to be using old components containing known vulnerabilities that could be exploited. This is particularly concerning as web applications remain the biggest source of data breaches. It’s no surprise as they carry a plethora of complexities from a variety of attack vectors presenting potential for serious vulnerabilities.
The Outpost24 report highlights the most common attack vectors affecting insurers through aggregated risk scoring. This enables insurance security teams and developers to compare and benchmark their attack surfaces and take the necessary steps to mitigate threats in their application footprint.
Of the criteria examined, the top 3 attack vectors identified are:
1. Page Creation Method - This depends on the code the web app has been developed in. Developing websites with insecure code or outdated software increases the risks of potential vulnerabilities for hackers to exploit
2. Degree of Distribution - The more pages you have, the more risks there are, all pages must be identified, and code vulnerabilities uncovered at all levels
3. Active Contents - When an application runs scripts the content becomes active and depending on the way those scripts have been implemented, the attack surface could increase if a website has been developed using vulnerable active content technologies.
The report also highlights several other security and compliance issues including basic SSL, cookie consent, and privacy policy defects.
With cyber insurance premiums becoming big business during the pandemic, insurers themselves, who store and process vast amounts of sensitive customer data, remain a soft target for cyber attacks. Recent ransomware hits on big names include AXA’s 3TB sensitive data leak and US CNA Financial which was forced to pay $40m to regain network control. There is no better time for insurers to take a magnifying glass to examine their own application attack surface.
“As attacks targeting insurance companies increase, visibility is key. It is essential for insurance security professionals to have continuous insights of their digital footprint and attack surface, as very often they are in the dark about how many publicly exposed web apps are out there and their security posture”, said Stephane Konarkowski, Security Consultant of Outpost24.
“We hope that this research will help insurance providers better understand the underlying attack vectors that could impact their application security, and take a more proactive approach to improving cyber hygiene by closing off potential backdoor access, before hackers find them, with continuous assessment and monitoring,” said Nicolas Renard, Security Consultant of Outpost24.
In this 2021 study, Outpost24 analysed how the insurance sector fared on application security but how does this compare against other industries? Top EU insurers have an average attack surface score of 38.10 (out of 58.24) vs online retailers at 42.37 and Credit Unions at 16.39, making them more at risk than credit unions, but less risky than retailers.