Greater than 26,500 vulnerabilities exist within the exterior assault surfaces of Southeast Asia’s 90 prime banking and monetary providers organisations, based on new analysis by cybersecurity agency Tenable. About 11,000 of those exploitable internet-facing property belong to Singapore’s top-tier establishments, together with lenders and insurers.
The evaluation discovered weak SSL/TSL encryption, misconfigured inside property, inconsistent URL encryption, and older APIs throughout the banking and finance trade in Thailand, Indonesia, Malaysia, Vietnam, the Philippines, and Singapore. The property evaluated included domains, subdomains, IP addresses, net servers, IoT gadgets, community printers, and any machine linked to the web or inside community, amongst others.
Singapore experiences most exploitable exposures
Singapore had the best variety of vulnerabilities amongst six international locations assessed, with over 11,000 internet-facing downside property throughout its prime 16 banking, monetary providers, and insurance coverage corporations. Over 6,000 of these downside property have been hosted in america.
The variety of vulnerabilities in different markets included:
- Thailand: 5,000.
- Indonesia: 4,600.
- Malaysia: 4,200.
- Vietnam: 3,600.
- The Philippines: 2,600.
Dangers reside in software program, encryption, APIs, and configurations
Tenable’s evaluation discovered a variety of “simply exploitable potential entry factors” inside banking, finance, and insurance coverage organisations in Southeast Asia. The cybersecurity agency declared that these “cyber hygiene gaps” have been “posing potential danger to the integrity and safety of monetary knowledge.”
Weak, outdated SSL/TLS encryption
In line with the report:
- Safe Sockets Layer and Transport Layer Safety encryption is designed to guard knowledge despatched over the web or a pc community, however weak SSL/TLS encryption was discovered amongst assessed entities.
- 2,500 property amongst these surveyed have been nonetheless utilizing TLS 1.0, which Tenable mentioned is “a 25-year-old safety protocol launched in 1999 and disabled by Microsoft in September 2022.”
“This highlights the numerous problem organisations with intensive web footprints face in figuring out and updating outdated applied sciences,” Tenable mentioned in a press launch.
Misconfiguration of inside property
A lot of property initially meant for inside use have been inadvertently uncovered. Tenable discovered 4,000 that had been misconfigured in ways in which made them accessible by exterior actors.
“Failing to safe these inside property poses a major danger to organisations, because it creates a possibility for malicious actors to focus on delicate data and demanding techniques,” the agency mentioned.
Inconsistent last URL encryption
Over 900 property have been discovered to have unencrypted last URLs.
When URLs are unencrypted, the information transmitted between a browser and a server is just not protected by encryption, making it susceptible to interception, eavesdropping, and manipulation by malicious actors.
“This lack of encryption can result in publicity of delicate data, reminiscent of login credentials, private knowledge, or cost particulars, and may compromise the integrity of the communication,” Tenable mentioned.
API v3 being utilized by establishments
The report recognized over 2,000 API v3 cases from the overall variety of property assessed.
Tenable mentioned insufficient authentication, inadequate enter validation, weak entry controls, and vulnerabilities in dependencies inside API v3 implementations create a susceptible assault floor.
“Malicious actors can exploit such weaknesses to achieve unauthorised entry, compromise knowledge integrity, and launch devastating cyber assaults,” Tenable’s commentary mentioned.
Weaknesses reside in Southeast Asia’s prime banks and insurers
Tenable’s evaluation targeted on the biggest companies by market capitalisation in Southeast Asian international locations. This makes the findings much more regarding, as they recommend even the biggest establishments within the sector are vulnerable to cybersecurity vulnerabilities, regardless that they might have extra assets out there.
Nigel Ng, Tenable’s senior vp for Asia Pacific and Japan, mentioned weaknesses in these property revealed many monetary establishments throughout Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam have been “struggling to shut the precedence safety gaps that put them in danger.”
Cyber danger outstanding for banking and monetary sectors in APAC
International scores company S&P International, which gives funding scores in APAC, has indicated the cyber dangers dealing with the area’s banking and finance sector are actual — and will affect their backside line.
In an replace in July 2024, S&P International’s analysts mentioned that the rising cyber dangers throughout Asia-Pacific banks notably have an effect on third events and banks “with a scarcity of expertise.”
S&P International cited analysis exhibiting:
With the chance extra acute for smaller lenders within the area, S&P International warned that, though danger mitigation initiatives by regulators and banks have staved off cyber threats, these points might nonetheless happen and have an effect on scores.
Because the S&P International replace famous, “Improper danger mitigation might enhance the probability of a profitable incursion and lead us to weaken our view of how cyber dangers are managed. This might have scores results.”