A report released this week by Outpost24, that examined the security posture of web applications amongst the Top 10 US Credit Unions, has revealed that they all have security issues.
Using Outpost24’s attack surface discovery tool called Scout, Outpost24 was able to analyse each Credit Union’s public-facing web security environments against the seven most common attack vectors used by hackers during reconnaissance, to ascertain a risk score that is measured 1-100. The attack vectors are labelled as Security Mechanisms, Page Creations Methods, Degree of Distribution, Authentication, Input Vectors, Active Contents and Cookies
Once the Scout tool scanned the environments, it was found that the average score for the top three attack vectors against the US Credit Unions were Active Content Technologies (70), followed by Authentication (23) and Page Creation Method (22).
The research also uncovered that there are 1,224 publicly exposed web applications running over 107 domains with 10% running on old components that contain known vulnerabilities.
As we’ve seen in recent months, financial services are considered big targets for cybercrime due to the wealth of information and monetary assets stored within these institutions. With more adopting digital services to improve overall productivity and user interaction, this does provide opportunities for hackers to exploit gaps in the infrastructure.
When scanning the attack surface of all top 10 Credit Unions, the average score given was 16.39 (out of 58.24) however, research showed the worst offender from the Top 10 returned a disproportionally higher attack surface score of 34.08, outweighing everyone else on the list and showing great disparity in the security posture between Credit Unions.
Outpost24’s Scout tool also examined the components that were used to develop the web applications and discovered there are on average 17 open port 80 among the credit unions, which can be dangerous when the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules.
This is not the first web application security industry report provided by Outpost24 and in 2020, the top US retailers were also analysed. When comparing industries, the top 10 Credit Unions was 16.39 a significantly lower score when compared to US retailers which scored 48.3.
The reasoning behind the lower score is likely due to the highly regulated nature of the Credit Union industry. Organisations that operate within this sector must demonstrate a standard level of security hygiene to protect the company assets and customer data against cyber criminals. Failure to do will likely incur severe penalties.