Outpost24 recently analysed the web application attack surface of the Top US Credit unions to evaluate how secure they are. Using attack surface discovery tool, Scout, Outpost’s findings revealed that there are 1,224 publicly exposed web applications running over 107 domains with 10% running on old components that contain known vulnerabilities.
The list of US Credit Unions was chosen based on a Segmint list of the largest US Credit unions by assets. Each had its public-facing web security environments examined against the seven most common attack vectors used by hackers during reconnaissance, to ascertain the risk score, including Security Mechanisms, Page Creations Methods, Degree of Distribution, Authentication, Input Vectors, Active Contents and Cookies (score 1-100).
The research uncovered the average score for the top three attack vectors against the US Credit Unions were Active Content Technologies (70), followed by Authentication (23) and Page Creation Method (22).
Overall, the attack surface score for the top 10 Credit Unions was 16.39 (out of 58.24) however, research showed the worst offender from the Top 10 returned a disproportionally higher attack surface score of 34.08, outweighing everyone else on the list and showing great disparity in the security posture between Credit Unions.
Outpost24’s Scout tool also examined the components that were used to develop the web applications and discovered there are on average 17 open port 80 among the credit unions, which can be dangerous when the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules.
When comparing industries, the top 10 Credit Unions was 16.39 a significantly lower score when compared to US retailers which scored 48.3. This is likely because of the highly regulated business model Credit Unions operate in which requires them to demonstrate a standard level of security hygiene to protect the company assets and customer data against cyber criminals.