A Closer Look: Risks in Finance
As part of our State of the Internet Report blog series, we’re taking a closer look at findings from an industry perspective. Specifically, which risks were most commonly observed among sampled Finance and Insurance organizations? It goes without saying that maintaining good cybersecurity hygiene in the finance and insurance space is paramount– these organizations routinely deal with highly-sensitive personal and financial information about their customers. Security breaches in this arena can not only result in front-page headlines, but can yield serious complications for consumers navigating the fallout.
How the Censys Research Team collected data
The Censys Research team studied the presence of risks and vulnerabilities across random samples of 2.2 million hosts in November 2021 and 2 million hosts in June 2022. The team then randomly selected 1% of hosts from each ASdb industry categorization to ensure representation across a variety of industries. As a note, the team found little variation in results between the two observation dates.
At the time of observation, Censys had over 250 risk and vulnerability detection fingerprints.
What did we find in aggregate?
Across all industries, Censys found that misconfigurations made up roughly 60% of all Censys-visible risks. When we refer to misconfigurations, we mean risks like unencrypted services, weak or missing security controls, and self-signed certificates. The exposure of services, devices, and information represented 28% of observed risks, and this grouping includes instances like unintentional database exposures and exposed credentials.
Interestingly, vulnerabilities represent just 12% of observed risks in our 2021 and 2022 snapshots. Vulnerabilities include end-of-life or outdated software and CVEs. So despite the fact that critical vulnerabilities can get much of the publicity, the majority of risks facing industries can best be mitigated with routine hygiene best practices.
The top 3 risks observed across all industries are 1.) Missing common security headers 2.) Self-signed certificates and 3.) Unencrypted weak authentication pages. You can learn more about the team’s analysis of these risks in our blog, “The Top Five Censys-Visible Risks on the Internet.”
Which risks did we observe in Finance & Insurance?
Let’s now take a look at our Finance and Insurance drill down. Below we see the top 25 observed risks in Finance and Insurance from our June 2022 snapshot. Note: risk observations did not vary significantly between the 2022 and 2021 snapshots.
What can we gather from these findings? First, we see that the top three Censys-visible risks in this space are 1.) Missing common security headers (~14%) 2.) Weak TLS ciphers and (~11%) 3.) Self-signed certificates (~9%)
Similar to the aggregate industry view, missing common security headers were the most visible risk in sampled Finance and Insurance organizations. Missing common security headers (like CSP and CORS) are of concern because they can make affected services the target for XXS or data injection attacks. A missing security header may not be a direct path to a Finance or Insurance organization’s customer data crown jewels, but they could be weaponized as part of an exploit chain.
The same goes for the third most visible risk across Finance and Insurance: self-signed certificates. Self-signed certificates refer to certificates that are signed by their own private keys instead of a trusted Certificate Authority. Any service without identity verification can be a target for man-in-the-middle attacks or a phishing campaign. Again, self-signed certificates are worth paying attention to because they could be weaponized to gather additional information about an organization.
The second-most visible risk, however, is where Finance and Insurance departs from the aggregate industry view. Whereas weak TLS ciphers rank sixth across all industries, this risk is second for Finance and Insurance. Weak TLS ciphers refer to encryption and decryption algorithms with keys that are insufficient in length – without sufficient complexity an algorithm key, the chance of the encryption algorithm being cracked could increase. Weak TLS ciphers were noted in about 11% of instances across observed hosts.
What does this mean for Finance and Insurance security teams?
As with security teams in many industries, those in Finance and Insurance have opportunities to focus on implementing systems and processes that help them maintain good security hygiene. Censys Research suggests that ensuring all properties have security headers, checking that certificates are signed by a trusted Certificate Authority, and establishing adequate TLS ciphers are relevant areas to focus security attention.
Check out our full 2022 State of the Internet Report for more industry-specific research.