en flag +1 214 306 68 37
All-Around IT Security Assessment for a US Insurtech Company Rated A+ by the BBB

All-Around IT Security Assessment for a US Insurtech Company Rated A+ by the BBB

Industry
Insurance, BFSI, Software products
Technologies
AWS

About Our Customer

The Customer is a prominent InsurTech company that keeps an A+ rating with the Better Business Bureau. It offers a convenient insurance marketplace that helps thousands of its users to find optimal insurance plans at an affordable price.

A Comprehensive Security Assessment Was Needed

The Customer regards cybersecurity as one of its priorities: as the company deals with its clients’ sensitive data, a security breach would ruin its reputation and financial stability.

The Customer wanted a comprehensive security assessment, including web application and API penetration testing, AWS infrastructure security audit, and social engineering testing. Therefore, the company was looking for a vendor well-versed in cloud and web security. With vast experience in security testing, dedicated cloud security assessment services, and Certified Ethical Hackers and AWS-certified security specialists on board, ScienceSoft won the Customer’s trust and was contracted for the project.

Pentesting Revealed Web Application and API Security Flaws

The Customer provided ScienceSoft’s team with user credentials for gray box penetration testing of one web application and two APIs. Following the OWASP Web Security Testing Guide and NIST 800-115 methodology, ScienceSoft’s security experts performed a series of automated and manual checks and attempted several most likely attack scenarios. They were pleased to report that the targets contained no critical security flaws that hackers could easily exploit. However, the team established that APIs contained a number of security flaws of medium severity, including:

  • Improper input validation that could enable a malicious actor to launch several types of attacks to get unauthorized access to the app’s components, steal sensitive info, and disrupt application functioning. ScienceSoft’s team recommended applying semantic and syntactic input validation to ensure that user input is safe to be processed by the application.  
  • Outdated Nginx web server. The server needed to be upgraded to the latest version before an attacker could use its vulnerabilities to execute arbitrary code or cause the server to crash. 

ScienceSoft’s team also reported several minor security flaws in the web app and APIs, such as missing HTTP security headers, insecure transportation security protocols TLS 1.0 and TLS 1.1, lacking brute-force protection, sensitive information disclosure via HTTP response header, and more. Although these vulnerabilities were unlikely to be exploited by attackers, ScienceSoft’s team recommended fixing them to avoid unnecessary risks and outlined the required remediation measures. 

Social Engineering Testers Checked Employees’ Resilience to Phishing and Vishing Attacks

The Customer provided 38 employee email addresses to be tested. For a comprehensive checkup of the company’s preparedness for phishing attacks, ScienceSoft’s team planned and performed the testing in three stages: 

  • ScienceSoft’s security testers checked the reliability of email protection mechanisms. They sent malicious emails without whitelisting the senders’ addresses. As a result, they confirmed that the email servers protect the users against emails containing suspicious links, forms, and attachments. 
  • The testers exploited the input validation vulnerability found during the penetration testing and managed to send an email with a phishing link from one of the Customer’s addresses. As a result, 4 out of the 38 targeted employees clicked the link.
  • ScienceSoft’s security testers added their test email addresses to the whitelist to ensure the employees would see the phishing emails. However, the emails went to the junk folder, so employees found them suspicious and did not follow the links. 

During the vishing campaign, ScienceSoft’s team ran several true-to-life scenarios. For example, the tester called the targeted employees pretending to be a tech support specialist and asked them to allow a remote connection or execute a command in the CMD and share the output. One of the Customer’s employees ran the command asked by the potential offender. The others refused to follow the instructions and informed their manager about the potential malicious calls. 

Based on the results of social engineering testing, ScienceSoft’s security experts evaluated the resilience to human-based attacks as high. They pointed out that the Customer should establish consistent security awareness training and continuously upgrade the email security system to stay protected against phishing and vishing.

Cloud Security Audit for Increased AWS Infrastructure Protection

ScienceSoft’s certified AWS security specialist manually reviewed the Customer’s AWS infrastructure components: Lambdas, Elastic Beanstalk app, VPC, S3, EC2, and more. She detected several misconfigurations that could enable a potential attacker to get unauthorized access to the corporate data. To protect the Customer’s cloud environment according to best security practices, ScienceSoft’s team recommended:

  • Analyzing multiple accounts with admin rights and limiting the permissions to those relevant to specific user roles.
  • Setting up multi-factor authentication for all users.
  • Enabling AWS Config for a full view of AWS resources configuration and automated alerts on undesired configuration changes.
  • Enabling and configuring CloudTrail to continuously monitor the activities across the AWS infrastructure.
  • Configuring AWS Web Application Firewall (WAF) to protect against cross-site scripting, cross-site request forgery, SQL injection attacks, and more.

Actionable Reports and Enhanced Security Posture

As a result of the security assessment by ScienceSoft, the Customer got comprehensive reports on the penetration testing, social engineering testing, and AWS infrastructure security audit results. The reports described the vulnerabilities found, classified them by severity, and suggested the required corrective measures. Following this remediation guidance, the Customer’s IT team quickly fixed the existing security flaws and achieved a high security level of the company's IT environment. The reports will also serve as proof of due diligence that may be needed for compliance attestation.

Technologies and Tools

Burp Suite, Metasploit, Postman, OWASP ZAP, KiteRunner, Vooki, Nmap, SSLScan.

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

More Case Studies