A study of exposed web-app attack surface reveals that insurance companies are not good at keeping their own security house in order
Insurance companies base their premiums on the posture of their clients. Kids with sports cars pay high motor insurance premiums and houses built on flood plains have high home insurance premiums. The same pattern will be inevitable for cyber insurance – but it turns out these insurance companies have poor cyber hygiene themselves.
A study by Outpost24 reveals that insurance companies are not good at keeping their own security house in order. The results show that the top European insurers have an average attack surface score of 38.10 (out of a proprietary maximum of 58.24). This is better than online retailers (who score 42.37), but way behind credit unions at 16.39.
These are overall scores. Worryingly, two of the top 10 European insurers had an attack surface score at 53.87 and 51.22 (out of 58.24) respectively. For the record, the top ten insurers analyzed were Allianz Group, AXA SA, Legal and General, Assicurazioni Generali, Aviva plc, CNP Assurances, Aegon, Prudential, Zurich Insurance Group, and Munich Re.
It should be stressed that these scores apply only to internet-facing web applications, and do not examine the internal network security of the insurance companies. Nevertheless, web application attacks are a primary vector for today’s criminals. It is a front door into the network, where today’s advanced criminals can hide and wait for their opportunity to traverse the network and exfiltrate data. And insurance companies have vast amounts of personal data.
Outpost24’s report (PDF) found that the top European insurers operate a total of 7,611 internet-facing web apps across 1,920 domains. The diversification of insurance product offerings into areas such as pets, homes, motor, business, health and cyber – with each requiring its own sub domain – has led to this proliferation of domains; but 22.51% of the apps identified by Outpost24 were found to be using old components containing known vulnerabilities that could be exploited.
About 3% of the domains were ‘suspicious’ and likely to be test environments; that is, they shouldn’t have been there.
The top three attack vectors identified are Page Creation Method (77.7), Degree of Distribution (77.7), and Active Contents (54); but other security and compliance issues include SSL, cookie consent and privacy policy defects.
This is not a theoretical risk. In May 2021, AXA suffered a ransomware attack where the criminals claimed to have stolen 3TB of sensitive data. This is the same insurance firm that announced earlier in the same month that it would not reimburse French customers for ransomware payments.
On May 20, 2021, Bloomberg revealed that CNA Financial had paid a $40 million ransom following a March 2021 cyberattack. In 2015, six weeks after Anthem announced a breach, Premera Blue Cross announced its own breach. Anthem later paid the U.S. government $16 million to settle potential privacy violations.
“As attacks targeting insurance companies increase, visibility is key. It is essential for insurance security professionals to have continuous insights of their digital footprint and attack surface, as very often they are in the dark about how many publicly exposed web apps are out there and their security posture,” said Stephane Konarkowski, managed services program director at Outpost24.
Other security experts are not impressed by Outpost24’s findings. Ben Pick, senior application security consultant at nVisium, told SecurityWeek, “Public test environments and using components with known vulnerabilities could be indicative of insufficient maintenance and outdated security practices.” This is concerning since the insurers could use security risk to justify raising premiums against customers.”
“Repeated compromises could cause irreparable reputational harm. I’m sure I’m not alone in being less inclined to choose an insurer who is known for losing client data,” he added.
Setu Kulkarni, VP strategy at WhiteHat Security, warns that such problems are not limited to the insurance industry. But what makes the issue more complex here, he told SecurityWeek, is, “These applications have both east-west and north-south dependencies.” East-west dependencies means one application is interacting with another application – for example, an insurance site integrating with a payment gateway to collect recurring monthly dues from customers. North-south dependencies occur when the application itself is dependent on both underlying infrastructure components and components that enable the application to be consumed.
“While applications themselves are vulnerable,” he continued, “they also inherit vulnerabilities from the other applications and components they are dependent on – for example, “if an application is using a vulnerable third-party API, the application itself is now at risk of being breached.”
This analysis of insurance company web security is not a good advertisement for the insurance industry. “The notion of ‘do as I say not as I do’ has so often been a contributing cause of cyber-attacks, of CEO fraud, and others; so, no one should be surprised by the report’s findings,” comments Dirk Schrader, global VP security research at New Net Technologies (NNT).
It is simply ironic that an industry that can increase the amount it charges customers based on its own perception of the customer’s security posture has such a poor posture itself. But “The insurance companies can learn from their own mistakes and be a role model for those they insure and charge premiums for that coverage,” adds Schradar. “They need to employ a comprehensive set of technical controls that will prevent the use of outdated and vulnerable applications, that will secure and harden devices and configurations, that will tell them about their public exposure, and will safeguard sensitive customer data and mission-critical accounts.”
Swedish firm Outpost24 was founded in 2001 by Carsten Bang Jensen, and Jesper Birch Jensen. It is headquartered in Karlskrona, Blekinge Lan, Sweden. In December 2020, it raised SEK 200 million (approximately $23 million) in a series C funding round led by Scandinavian asset manager Swedbank Robur and equity investment firm Alcur Fonder.
Related: Verizon DBIR 2021: Ransomware, Web App and Phishing Attacks Dominate
Related: 92% of External Web Apps Have Exploitable Security Flaws or Weaknesses
Related: Check Point Acquires Web Application Security Startup ForceNock
