Сase study: Penetration test for the international insurance company

The specific scope of the penetration test conducted for the international insurance company was to simulate a targeted attack by a malicious actor with the motivation to:

Determine if remote attackers could penetrate the company's defenses.

Identify potential security breaches and their impact.

The main goal of this penetration test was an examination of the client's infrastructure through the third party for possible issues that could affect the security of the applications, infrastructure and privacy of its users. The assessment also checks and evaluates security configurations that ensure the confidentiality, integrity, and availability of the client's company sensitive data and other resources.

A data breach that could result in the loss of customer information, which can be catastrophic for the insurance company. In the event of a breach, customer data stored with the company, could be stolen, including the patient's history. Hackers could generate fraudulent insurance claims leading to financial losses for the insurance company. This kind of activity can result in severe damages to the company's financial stability.

A cyber attack on an insurance company could seriously damage the company's reputation, leading to a loss of trust among its customers. Suffering a loss of customer confidence can be a severe setback for any insurance company and may be difficult to recover from.

A cyber attack can severely disrupt the business operations of an insurance company, making it difficult for employees to carry out their duties, ultimately reducing efficiency. This can lead to loss of potential opportunities for the company.

A cyber attack poses risks to the intellectual property of an insurance company, including sensitive financial and strategic information. These attacks could lead to the theft of such information, subsequently causing significant financial losses for the company.

Operational technologies that support the back-office functions of the insurance industry could be put at risk by a cyber attack. Such an attack can result in severe damage to the company's back-office infrastructure, leading to data loss, loss of functionality, and diminished revenue.

Stage 1. Preparation
Our team started by collecting data on the call center infrastructure, including how voice records were stored and handled. We conducted vulnerability scans on the systems to detect any weaknesses that might be exploited. We also took advantage of the vulnerabilities that we discovered in a controlled setting to assess their potential impact, with a particular focus on data exposure scenarios. From our penetration testing activities, we identified a few vulnerabilities that could result in the exposure of sensitive data:● Weak data encryption standards for the storage of voice records, which determined attackers could potentially break. Additionally, there was insufficient network segmentation, which could allow attackers to move laterally and access voice record databases;● We observed a lack of robust access controls for systems that stored sensitive data.
Stage 2. Scanning phase
ESKA applied a comprehensive penetration testing methodology, targeting systems crucial to daily business operations. We began by identifying key systems and infrastructure that were vital for business continuity. Next, we conducted a network scan to discover devices and services, followed by vulnerability scanning to identify possible weaknesses. Our testing revealed several vulnerabilities that, if exploited, could significantly disrupt business operations:● Outdated software versions susceptible to known exploits;● Missing Authorization vulnerability.

Stage 3. Enumeration
Our pentesting team used a multi-faceted approach including several testing strategies, aiming to secure both the storage of sensitive information. The pentesting activities revealed several vulnerabilities in the systems storing and processing the company's sensitive information. These vulnerabilities included:● Insufficient data access controls allowing unauthorized access to sensitive information;● Inadequate monitoring and logging, which would not alert the company to an ongoing data breach
Stage 4. Exploit phase and reporting
Our pentesting team used a risk-based testing methodology, focusing on areas where an attack could potentially cause the most harm. This methodology involved a mix of automated and manual testing techniques, such as vulnerability scanning, fuzzing, and targeted exploits. During the pentesting activities our team uncovered several high-risk vulnerabilities in the OT systems. These vulnerabilities could allow a cyber attacker to disrupt back-office functions, leading to severe damage. For instance, we discovered:● Unpatched systems susceptible to known exploits;● Unsecured communication protocols that could be intercepted and manipulated;● Missing Authorization vulnerability.
After identifying these vulnerabilities, we documented our findings and provided a detailed report that outlined our findings, potential impacts, and recommendations for mitigating these risks.

OWASP Testing Guide - an industry-standard security testing manual for web applications and related technology.

ISECOM OSSTMM3 - a high-level security testing methodology developed and maintained by the Institute for Security and Open Methodologies. Used as the basis for planning, coordinating, and reporting.

NIST SP800-115 - a technical IT security testing methodology mandatory for U.S. federal agencies. Used within the automated vulnerability scanning, analysis, and validation.

PTES - an innovative penetration testing methodology being developed by a group of world-leading penetration testing, security audit, and social engineering professionals.

Review and update the server's access control and authentication mechanisms to ensure that only authorized users can access sensitive data.

Implement encryption for data at rest and in transit to protect sensitive information from unauthorized access.

Perform regular security assessments and vulnerability scans to identify and mitigate potential security issues.

Regularly update and patch the server's operating system, Apache, and any associated software to address known vulnerabilities.

Regularly conduct employee security awareness training, including the importance of password hygiene and recognizing social engineering attacks.

Enable multi-factor authentication (MFA) for critical systems and applications to add an extra layer of security.

Notify affected employees and instruct them to change their passwords immediately if they use any of them on the Internet.

Implement strong password policies and enforce the use of unique, complex passwords for each employee.

Are you interested in learning more about this case or do you have similar security needs?

Our team of experts at ESKA conducted a comprehensive penetration test for an insurance company, uncovering significant issues and weaknesses within their systems. The identification and resolution of these vulnerabilities are vital in preventing potential data breaches and safeguarding sensitive information.
By simulating real-world attack scenarios, we can help insurance companies identify and rectify vulnerabilities in their systems, ensuring the highest level of protection for their clients' data.
Protect your organization and client data by filling out the form below to request a comprehensive vulnerability assessment and penetration test from our experienced team. Stay one step ahead of cyber threats and fortify your defenses today.

Back to Projects