Сase study:
INSURANCE
Penetration test for the international insurance company (FAIRFAX Group)
The specific scope of the penetration test conducted for the international insurance company was to simulate a targeted attack by a malicious actor with the motivation to:
-
Determine if remote attackers could penetrate the company's defenses.
-
Identify potential security breaches and their impact.
The main goal of this penetration test was an examination of the client's infrastructure through the third party for possible issues that could affect the security of the applications, infrastructure and privacy of its users. The assessment also checks and evaluates security configurations that ensure the confidentiality, integrity, and availability of the client's company sensitive data and other resources.
Findings
During 35 days of extensive penetration testing and assessment, our team identified
46 vulnerabilities, with the highest severity being Critical.
ESKA identified key vulnerabilities in the IT infrastructure of the
insurance company, that could lead to the following scenarios:
A data breach that could result in the loss of customer information, which can be catastrophic for the insurance company. In the event of a breach, customer data stored with the company, could be stolen, including the patient's history. Hackers could generate fraudulent insurance claims leading to financial losses for the insurance company. This kind of activity can result in severe damages to the company's financial stability.
Operational technologies that support the back-office functions of the insurance industry could be put at risk by a cyber attack. Such an attack can result in severe damage to the company's back-office infrastructure, leading to data loss, loss of functionality, and diminished revenue.
A cyberattack can severely disrupt the business operations of an insurance company, making it difficult for employees to carry out their duties, ultimately reducing efficiency. This can lead to loss of potential opportunities for the company.
A cyber attack poses risks to the intellectual property of an insurance company, including sensitive financial and strategic information. These attacks could lead to the theft of such information, subsequently causing significant financial losses for the company.
A cyber attack on an insurance company could seriously damage the company's reputation, leading to a loss of trust among its customers. Suffering a loss of customer confidence can be a severe setback for any insurance company and may be difficult to recover from.
How it works
Process
A penetration test is usually roughly divided into six phases:
.png)
.png){kind=small}
Preparation
Our team started by collecting data on the call center infrastructure, including how voice records were stored and handled. We conducted vulnerability scans on the systems to detect any weaknesses that might be exploited. From our penetration testing activities, we identified a few vulnerabilities that could result in the exposure of sensitive data:
● Weak data encryption standards for the storage of voice records, which determined attackers could potentially break. Additionally, there was insufficient network segmentation, which could allow attackers to move laterally and access voice record databases;
● We observed a lack of robust access controls for systems that stored sensitive data.
.png)
Scanning phase
ESKA applied a comprehensive penetration testing methodology, targeting systems crucial to daily business operations. We began by identifying key systems and infrastructure that were vital for business continuity. Next, we conducted a network scan to discover devices and services, followed by vulnerability scanning to identify possible weaknesses. Our testing revealed several vulnerabilities that, if exploited, could significantly disrupt business operations:
● Outdated software versions susceptible to known exploits;
● Missing Authorization vulnerability.
Enumeration
Our pentesting team used a multi-faceted approach including several testing strategies, aiming to secure both the storage of sensitive information. The pentesting activities revealed several vulnerabilities in the systems storing and processing the company's sensitive information. These vulnerabilities included:
● Insufficient data access controls allowing unauthorized access to sensitive information;
● Inadequate monitoring and logging, which would not alert the company to an ongoing data breach
Exploit phase
Our pentesting team used a risk-based testing methodology, focusing on areas where an attack could potentially cause the most harm. This methodology involved a mix of automated and manual testing techniques, such as vulnerability scanning, fuzzing, and targeted exploits. During the pentesting activities our team uncovered several high-risk vulnerabilities in the OT systems. These vulnerabilities could allow a cyber attacker to disrupt back-office functions, leading to severe damage.
After identifying these vulnerabilities, we documented our findings and provided a detailed report that outlined our findings, potential impacts, and recommendations for mitigating these risks.
Methodologies we use
Recommendations
For each vulnerability found, we gave recommendations for their mitigation in the report. Here are some examples:
Review and update the server's access control and authentication mechanisms to ensure that only authorized users can access
sensitive data.
Implement encryption for data at rest and in transit to protect sensitive information from unauthorized access.
Perform regular security assessments and vulnerability scans to identify and mitigate potential security issues.
Regularly update and patch the server's operating system,
Apache, and any associated software to address known vulnerabilities.
Regularly conduct employee security awareness training, including the importance of password hygiene and recognizing social engineering attacks.
Notify affected employees and instruct them to change their passwords immediately if
they use any of them
on the Internet.
Implement strong password policies and enforce the use of unique, complex passwords for each employee.
Enable multi-factor authentication (MFA) for critical systems and applications to add an extra
layer of security.
Are you interested in learning more about this case or do you have similar security needs?
Our team of experts at ESKA conducted a comprehensive penetration test for an insurance company, uncovering significant issues and weaknesses within their systems. The identification and resolution of these vulnerabilities are vital in preventing potential data breaches and safeguarding sensitive information.
.png)