IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Top US credit unions have multiple web app security problems

One in ten web applications are running on old components that contain known vulnerabilities

Security researchers have discovered problems in the web applications deployed by the top ten credit unions in the US.

Researchers at Outpost24 analyzed the top US credit unions’ web application attack surface to evaluate their security. They found 1,224 publicly exposed web applications running over 107 domains, with 10% running on old components containing known vulnerabilities.

Outpost24 selected its US Credit Unions list based on a Segmint list of the Largest US Credit Unions by Assets. Researchers examined each union’s public-facing web security environments against the seven most common attack vectors hackers use during reconnaissance to ascertain a risk score between one and 100. The risk score comprised security mechanisms, page creation methods, degree of distribution, authentication, input vectors, active contents, and cookies.

The research found that the top three attack vectors against the US credit unions targeted active content technologies, followed by authentication and page creation methods.

“It’s no big surprise to see Active Content Technologies (ACT) as the biggest scorer. As soon as an application runs scripts, the attack surface could increase if a website has been developed using multiple active content technologies, some more vulnerable than others, to build and create their applications”, said Nicolas Renard and Stephane Konarkowski, security consultant at Outpost24.

Researchers said that, overall, the attack surface score for the top ten credit unions was 16.39 out of 58.24. However, research showed the worst offender from the top ten returned a disproportionately higher attack surface score of 34.08, outweighing everyone else on the list and showing a great disparity in the security posture between credit unions.

However, this score was significantly lower when compared to US retailers, which scored 48.3. According to the researchers, this is likely because of the highly regulated business model credit unions operate in that requires them to demonstrate a standard level of security hygiene to protect the company assets and customer data against cyber criminals.

Researchers also examined the components used to develop the web applications and discovered there were, on average, 17 open port 80 among the credit unions. They said this can be dangerous when the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules.

Researchers said it is essential for security teams to identify open ports and close unused ones or install firewalls on hosts to monitor and filter port traffic to “prevent any security issues from creeping in.”

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide
Whitepaper

CIAM buyer’s guide

6 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022
Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022