Mapping the Attack Surface for Insurance Applications

With cyber-attacks actively targeting the insurance sector, including the recent and high profile ransomware hits on AXA causing a 3TB sensitive data leak and US CNA Financial who were forced to pay $40m to regain network control - it’s no wonder External Attack Surface Management (EASM) has become a major priority for cybersecurity leaders to defend their digital footprint. According to Gartner, EASM is an emerging practice that supports organizations in identifying risks coming from internet-facing assets that they may be unaware of such as shadow IT, exposure management and, expanding attack surfaces.

With ransomware pay outs reaching (on average) close to $2million it’s important for insurance organizations to avoid huge losses by understanding and reducing threats in their external attack surface before ransomware attacks happen. Our recent web application security for Insurance study highlights the most common attack vectors for insurers to visualize exposure from a hacker’s view, enabling security professionals to mitigate early signs of application security threats and reduce the likelihood of being exploited.

As demonstrated in a similar study for Retail & Ecommerce and Credit Unions, we use our web attack surface management tool Scout to automate discovery of all internet facing applications for the Top 10 insurance companies in Europe by asset (source: ADV rating), and identifying potential application security exposure in a consolidated risk portfolio view through aggregated data.

Key findings from the attack surface study:

• Top EU insurers combined have an average attack surface score of 38.10 (out of 58.24) vs online retailers at 42.37 and Credit Unions at 16.39
• Top EU insurers run a total of 7,611 internet exposed web applications over 1,920 domains, with 2.98% of them considered suspicious e.g., test environments
• 22.51% of these applications identified are found to be using old components containing known vulnerabilities that could be exploited
• Page Creation Methods (77.7), Degree of Distribution (77.7) and Active Contents (54) are the top 3 attack vectors identified with the highest exposure
• Other security and compliance issues detected include basic SSL, cookie consent and privacy policy defects.

Insuring the insurers

As the volume of insurance products increases (pet, home, car, travel, business etc) – each requiring their own sub domains and web applications to meet the different customer needs, it’s no surprise their attack surface has increased and become highly-exposed. A breach anywhere along the digital ecosystem could easily lead to compromise of the services and ultimately the users, customers and the business with dire consequence. Hackers are increasingly targeting the application layers through backdoors rather than attacking your security perimeter head-on. It’s important for insurers to have continuous visibility of their attack surface and prioritize fixes for the most exposed web services to ensure they do not fall victim during a hacker reconnaissance mission.

Compared to the Top retailers from our 2020 attack surface study we found the top insurance organizations have a lower web application attack surface score at 38.10 vs online retailers at 42.37. Yet their application attack surface is more than 2 times larger than Credit Unions and still provides cause for concern given the rise in ransomware attacks in retail and financial services.

The most disturbing finding from our study is the disparity between the Top 10 insurance organizations in terms of exposure – with the highest attack surface score (worst performer) at 53.87 out of 58.24 and the lowest score (best performer) at 14.39. With all insurance organizations being subjected with the same regulatory and compliance standards, the level of security hygiene and controls vary - with some of them falling significantly short in application security than others.

Utilizing an external attack surface management tool like Scout can help cut down the time taken to discover the complete chain of applications that you are connected to and pinpointing potential security issues from the ‘outside in’ (including those you didn’t know existed) to help security teams build a clear plan for early mitigation for vulnerabilities at risk.

Where top insurers are exposed

Our aggregated attack surface risk score is calculated by evaluating the Top 10 EU insurance organizations exposed web applications against the seven most common attack vectors that hackers use during reconnaissance. In this spider map, you can see the average weightings of the top attack vectors.

1. Security mechanism (SM)
2. Page creation method (PCM)
3. Degree of distribution (DOD)
4. Authentication (AUTH)
5. Input vectors (IV)
6. Active content (ACT)
7. Cookies (CS)

Top 3 attack vectors

1. Page creation method (PCM)

Our tool found page creation method as the joint biggest attack surface exposure scorer amongst the 7 common web app attack vectors. By scanning the public facing insurance domains we were able to identify application pages which have been developed using potentially insecure code which could carry potential vulnerabilities for exploitation. It’s important security professionals and developers work together to locate application weakness like this early in the DevOps cycle.

2. Degree of distribution (DOD)

Insurance apps are likely to have many pages due to the volume of products and policies on offer. However, this directly increases the attack surface as the more pages there are, the harder it is to keep on top of the security hygiene of every single page on every domain. Not to mention the numerous input vectors and fields that could be used on each page and how they are linked internally and externally to your infrastructure. Giving bad actors a plethora of opportunities to identify potential backdoor access and vulnerabilities to break in.

3. Active content (ACT)

In third place, we have seen more websites with a high active contents risk score, with 90% of insurance applications scoring >50 for this attack vector. The use of Javascript and ActiveX controls are common in modern application development as businesses look to create a more dynamic and real-time experience for the end-user. It’s easy for hackers to find out if your apps have been developed using vulnerable and outdated active content technologies using automation tools and techniques. Regular and continuous application scanning should be made a top priority to prevent script-based attacks.

Other common security issues

Cookies

Other common security issues detected include cookies, which benefit both the customer experience and create added verification for businesses. They are essential for real-time application security by monitoring session activity and ensuring anyone who sends requests to your website is allowed to do so and keeps hackers away from unauthorized areas. Without cookies, it can allow hackers to extract information from encrypted web connections and can be manipulated to spread across different domains and subdomains.

Vulnerable components

In addition, we also found 22.51% of insurers using old components such as jQuery in their applications. That’s an average of 143 outdated components in use per insurance company! The impact of this is a serious one as most of these components contain known vulnerabilities that could lead to SQL injection, Cross-Site Scripting and security misconfiguration exploits.

Web attack surface management best practice

Hackers by nature are opportunistic and will go to any length to penetrate a business, large or small, to steal critical data for financial gains. Therefore, it’s important to have a comprehensive attack surface risk management solution in place to minimize your application security posture by following these steps:

• Application discovery and inventory: Multi-discovery techniques used by hackers to map your known and unknown internet-facing applications, web services, APIs, SSL certificates and domains that you may have missed to create an inventory for full visibility
• Attack surface assessment and classification: Assess the exposure of application assets discovered against the 7 most common attack vectors used by hackers and classify them based on business criticality to highlight security weaknesses that could give them a foothold into your business
• Actionable risk scoring: Understand your security exposure from a hacker’s view with quantifiable risk ratings to pinpoint application threats and share vital context with developers and IT for further investigation to secure development
• Continuous application security monitoring: Monitor and assess your at-risk applications continuously for known vulnerabilities and misconfigurations to keep them secure and compliant 24/7.

Methodology

Our analysis of the Top 10 European insurers web application attack surface was conducted in 2021 and is based on the Top 10 as identified in the ADV ratings. All information collected and scanned is available from the public domain and has been used to provide actionable insights to Insurance organizations and others on how to effectively monitor and score your application attack surface for proactive application security.

All results for Retail, Insurance and Credit Unions analysis true as of the date of publication.