According to a recent study by cybersecurity firm Tenable, more than 26,500 vulnerabilities are present on the external attack surfaces of Southeast Asia’s 90 leading banking and financial services organizations. Around 11,000 exploitable internet-facing properties are owned by Singapore’s top-tier institutions, including financial lenders and insurers.
Discovered weaknesses in SSL/TLS encryption, misconfigured internal properties, inconsistencies in URL encryption, and outdated APIs across the banking and finance sectors in Thailand, Indonesia, Malaysia, Vietnam, the Philippines, and Singapore. The assessment encompassed a broad range of assets, including domains, subdomains, IP addresses, network servers, Internet-of-Things devices, community printers, and any device connected to the internet or internal network, among numerous other machines.
Singapore experiences most exploitable exposures
Amongst the six nations evaluated, Singapore stood out for having the most extensive range of vulnerabilities, boasting a staggering 11,000+ internet-facing weaknesses across its top 16 banking, financial services, and insurance companies. More than 6,000 such properties have been hosted in the US.
Diverse market-specific vulnerabilities were identified, encompassing a broad spectrum.
- 5,000.
- 4,600.
- 4,200.
- 3,600.
- 2,600.
Security risks lurk within software programs, encryption methods, Application Programming Interfaces (APIs), and configurations.
A vulnerability assessment by Tenable revealed multiple straightforwardly exploitable entry points within financial institutions in Southeast Asia, including banks, financial organizations, and insurance companies. The cybersecurity agency warned that these “cyber hygiene gaps” pose a potential threat to the integrity and security of financial knowledge.
Weak, outdated SSL/TLS encryption
In response to the report:
- Secure Sockets Layer and Transport Layer Security encryption, intended to safeguard data transmitted online or across computer networks, has been found vulnerable among evaluated organizations.
- Approximately 2,500 properties among those surveyed continue to utilize TLS 1.0, a 25-year-old security protocol initially released in 1999, which was officially disabled by Microsoft in September 2022.
“Organisations with extensive online presence struggle to identify and update outdated technologies, according to Tenable.”
Misconfiguration of inner property
Properties initially intended for personal use have inadvertently become public domain. Tenable’s analysis revealed approximately 4,000 devices found to be misconfigured, leaving them vulnerable to exploitation by external actors.
“Failing to safeguard these inner properties poses a significant threat to organisations, as it creates an opportunity for malicious actors to target sensitive information and critical systems.”
Inconsistent closing URL encryption
More than 900 properties have been found to harbour unsecured closing URLs.
Unsecured URLs leave data transmissions vulnerable to interception, eavesdropping, and manipulation by malicious entities, as the information exchanged between browsers and servers remains unprotected by encryption.
“This vulnerability can lead to the public disclosure of sensitive information, including login credentials, personal data, or financial details, thereby compromising the confidentiality of communication.”
Establishments worldwide are increasingly relying on API v3 to streamline their operations and enhance customer experiences.
The report identified more than 2,000 instances of API v3 scenarios across the diverse range of properties examined.
Tenable’s assessment reveals that the API v3 implementation is vulnerable to attack due to insufficient authentication, inadequate input validation, weak entry controls, and exploitable weaknesses in dependent libraries, thereby creating a significant attack surface?
Malicious actors can capitalise on these vulnerabilities to gain unlawful access, subvert the authenticity of sensitive information, and orchestrate crippling cyber attacks, warned Tenable’s commentary.
Southeast Asia’s prime financial institutions harbour significant vulnerabilities.
Tenable’s evaluation focused on the top-performing companies by market capitalization in Southeast Asia, examining key metrics to identify the region’s most influential players. While the report’s findings enhance our understanding of the sector’s vulnerability to cyber threats, it’s essential to acknowledge that even the most critical institutions may be at risk, despite having additional resources available.
According to Nigel Ng, senior vice chairman for Asia Pacific and Japan at Tenable, numerous financial institutions across Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam are grappling with “prevalent security gaps” that leave them vulnerable to attack.
Cyber threats to the banking and financial sectors in APAC: A Growing Concern
International scores company S&P International, which supplies funding scores in APAC, has indicated the cyber dangers going through the area’s banking and finance sector are actual — and will impression their backside line.
In , S&P International’s analysts stated that the rising cyber dangers throughout Asia-Pacific banks significantly have an effect on third events and banks “with a scarcity of expertise.”
S&P International cited analysis exhibiting:
With the danger extra acute for smaller lenders within the area, S&P International warned that, though threat mitigation initiatives by regulators and banks have staved off cyber threats, these points might nonetheless happen and have an effect on scores.
Because the S&P International replace famous, “Improper threat mitigation might improve the chance of a profitable incursion and lead us to weaken our view of how cyber dangers are managed. This might have scores results.”
