Latest News

Europe’s Top Insurance Companies All Have Application Security Issues

Europe’s Top Insurance Providers have been found to have security weaknesses within their web application architecture, according to the latest research by Outpost24.

The 2021 Web Application Security for Insurers Report analysed the web applications of the top 10 European insurance providers, as listed by ADV Rating, and found that every insurer had some degree of vulnerability or security weakness.

In fact, it was discovered that the top EU insurers run a total of 7,611 internet exposed web applications over 1,920 domains, with 3% of them considered suspicious (e.g. testing environments). Furthermore, nearly one in four (23%) of the applications identified are found to be using old components containing known vulnerabilities that could be exploited. This is particularly concerning as web applications remain the biggest source of data breaches. It’s no surprise as they carry a plethora of complexities from a variety of attack vectors presenting potential for serious vulnerabilities.

Insurance providers of late have come under intense attack from hackers. Recent ransomware hits on big names include AXA’s 3TB sensitive data leak and US CNA Financial which was forced to pay $40m to regain network control. There is no better time for insurers to take a magnifying glass to examine their own application attack surface, especially against the most common attack vectors as revealed in The Outpost24 report through aggregated risk scoring.

This enables insurance security teams and developers to compare and benchmark their attack surfaces and take the necessary steps to mitigate threats in their application footprint.

Of the criteria examined, the top 3 attack vectors identified are:

Page Creation Method – This depends on the code the web app has been developed in.

Developing websites with insecure code or outdated software increases the risks of potential vulnerabilities for hackers to exploit

Degree of Distribution – The more pages you have, the more risks there are, all pages must be identified, and code vulnerabilities uncovered at all levels

Active Contents – When an application runs scripts the content becomes active and depending on the way those scripts have been implemented, the attack surface could increase if a website has been developed using vulnerable active content technologies.

The report also highlights several other security and compliance issues including basic SSL, cookie consent, and privacy policy defects.

“As attacks targeting insurance companies increase, visibility is key. It is essential for insurance security professionals to have continuous insights of their digital footprint and attack surface, as very often they are in the dark about how many publicly exposed web apps are out there and their security posture”, said Stephane Konarkowski, Security Consultant of Outpost24.

In this 2021 study, Outpost24 analysed how the insurance sector fared on application security but how does this compare against other industries? Top EU insurers have an average attack surface score of 38.10 (out of 58.24) vs online retailers at 42.37 and Credit Unions at 16.39, making them more at risk than credit unions, but less risky than retailers.