Insurance Company Does Not See Value in Insurance Model
SERVICES: Wireless Assessment, Internal Vulnerability Assessment, Grey Box Web Application Security Assessment, and External Attack and Penetration Assessment
An insurance provider recently completed an Internal Audit of their IT security. One condition of the audit was to have penetration testing performed by a third party. The insurance company contracted SecureState’s Profiling Team to perform a Wireless Assessment, Internal Vulnerability Assessment, Web Application Security Assessment, and External Attack and Penetration Assessment. Attack and Penetration Tests simulate an actual hacker attempting to gain unauthorized access to a company’s resources. Penetration Tests are a much different process than a standard Vulnerability Assessment / Scan, in that once vulnerabilities have been discovered from either a manual or an automated process, SecureState will exploit the specific vulnerabilities or combine multiple vulnerabilities to achieve a larger attack (Vulnerability Linkage Theory).
Why this Engagement was Off The Charts!
The results of the assessments were unsettling, in more ways than one. In every assessment area, SecureState achieved full compromise of multiple systems. In fact, the only thing that stopped SecureState was that they ran out of systems to break into. Most of the methods used to compromise systems and locate confidential customer data were fairly basic attacks that a beginner could use. The company employed full time IT security personnel, but it was clear that they were either unmotivated or unqualified. The company’s internal auditor seemed to understand the severity of the problems and wanted the company to improve its security, but repeatedly backed down in what was one of our most confrontational closing meetings ever.
What the Consultants Had to Say
“Upfront, they were pretty nonchalant about the findings. But they quickly became defensive and pretty combative.” They repeatedly argued semantics, “this vulnerability should be ‘high’ instead of ‘extreme’, etc.” rather than worrying about the fact that so many exploitable vulnerabilities existed on all of their systems. “At one point, as one of the other consultants was walking them through the findings, the IT Manager yelled, ‘SHUT UP!’ He felt like we were piling on.”
Besides the completely unprofessional behavior, what was really surprising is that an insurance company so misunderstood the security “insurance” model. Their business is to help customers protect and mitigate against contingent risks, yet they didn’t realize that their failure to institute many basic security protections left them (and their customers’ data) uninsured against potential attacks.
Sure, they haven’t been breached yet (that they know of) but they “were the equivalent of selling auto insurance to a repeated drunk driver. It is pretty much an accident that they haven’t crashed yet.” As CEO Ken Stasiak puts it, “Our consultants strive to bring the most value to our clients. We work with a lot of clients who get it. These guys just didn’t get it.”