Greater than 26,500 vulnerabilities exist within the exterior assault surfaces of Southeast Asia’s 90 high banking and monetary companies organisations, in keeping with new analysis by cybersecurity agency Tenable. About 11,000 of those exploitable internet-facing property belong to Singapore’s top-tier establishments, together with lenders and insurers.
The evaluation discovered weak SSL/TSL encryption, misconfigured inner property, inconsistent URL encryption, and older APIs throughout the banking and finance trade in Thailand, Indonesia, Malaysia, Vietnam, the Philippines, and Singapore. The property evaluated included domains, subdomains, IP addresses, internet servers, IoT units, community printers, and any gadget linked to the web or inner community, amongst others.
Singapore experiences most exploitable exposures
Singapore had the best variety of vulnerabilities amongst six international locations assessed, with over 11,000 internet-facing downside property throughout its high 16 banking, monetary companies, and insurance coverage corporations. Over 6,000 of these downside property have been hosted in the US.
The variety of vulnerabilities in different markets included:
- Thailand: 5,000.
- Indonesia: 4,600.
- Malaysia: 4,200.
- Vietnam: 3,600.
- The Philippines: 2,600.
Dangers reside in software program, encryption, APIs, and configurations
Tenable’s evaluation discovered a spread of “simply exploitable potential entry factors” inside banking, finance, and insurance coverage organisations in Southeast Asia. The cybersecurity agency declared that these “cyber hygiene gaps” have been “posing potential danger to the integrity and safety of economic information.”
Weak, outdated SSL/TLS encryption
In response to the report:
- Safe Sockets Layer and Transport Layer Safety encryption is designed to guard information despatched over the web or a pc community, however weak SSL/TLS encryption was discovered amongst assessed entities.
- 2,500 property amongst these surveyed have been nonetheless utilizing TLS 1.0, which Tenable mentioned is “a 25-year-old safety protocol launched in 1999 and disabled by Microsoft in September 2022.”
“This highlights the numerous problem organisations with intensive web footprints face in figuring out and updating outdated applied sciences,” Tenable mentioned in a press launch.
Misconfiguration of inner property
A lot of property initially supposed for inner use have been inadvertently uncovered. Tenable discovered 4,000 that had been misconfigured in ways in which made them accessible by exterior actors.
“Failing to safe these inner property poses a major danger to organisations, because it creates a possibility for malicious actors to focus on delicate data and important methods,” the agency mentioned.
Inconsistent ultimate URL encryption
Over 900 property have been discovered to have unencrypted ultimate URLs.
When URLs are unencrypted, the information transmitted between a browser and a server will not be protected by encryption, making it weak to interception, eavesdropping, and manipulation by malicious actors.
“This lack of encryption can result in publicity of delicate data, resembling login credentials, private information, or fee particulars, and might compromise the integrity of the communication,” Tenable mentioned.
API v3 being utilized by establishments
The report recognized over 2,000 API v3 situations from the overall variety of property assessed.
Tenable mentioned insufficient authentication, inadequate enter validation, weak entry controls, and vulnerabilities in dependencies inside API v3 implementations create a weak assault floor.
“Malicious actors can exploit such weaknesses to achieve unauthorised entry, compromise information integrity, and launch devastating cyber assaults,” Tenable’s commentary mentioned.
Weaknesses reside in Southeast Asia’s high banks and insurers
Tenable’s evaluation targeted on the most important companies by market capitalisation in Southeast Asian international locations. This makes the findings much more regarding, as they recommend even the most important establishments within the sector are vulnerable to cybersecurity vulnerabilities, though they could have extra sources accessible.
Nigel Ng, Tenable’s senior vp for Asia Pacific and Japan, mentioned weaknesses in these property revealed many monetary establishments throughout Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam have been “struggling to shut the precedence safety gaps that put them in danger.”
Cyber danger outstanding for banking and monetary sectors in APAC
International rankings company S&P International, which offers funding rankings in APAC, has indicated the cyber dangers going through the area’s banking and finance sector are actual — and will influence their backside line.
In an replace in July 2024, S&P International’s analysts mentioned that the rising cyber dangers throughout Asia-Pacific banks notably have an effect on third events and banks “with a scarcity of expertise.”
S&P International cited analysis exhibiting:
With the danger extra acute for smaller lenders within the area, S&P International warned that, though danger mitigation initiatives by regulators and banks have staved off cyber threats, these points may nonetheless happen and have an effect on rankings.
Because the S&P International replace famous, “Improper danger mitigation may enhance the chance of a profitable incursion and lead us to weaken our view of how cyber dangers are managed. This might have rankings results.”