New research conducted by Tenable®, Inc., the exposure management company, has uncovered more than 26,500 potential internet-facing assets among Southeast Asia's top banking, financial services, and insurance (BFSI) companies by market capitalisation across Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam.
Tenable examined the external attack surface of over 90 BFS organisations with the largest market capitalisations across the region. The findings revealed that the average organisation possesses nearly 300 internet-facing assets susceptible to potential exploitation, resulting in a total of more than 26,500 assets across the study group.
Singapore ranked the highest among the six countries assessed, with over 11,000 internet-facing assets identified across its top 16 BFSI companies. Over 6,000 of those assets are hosted in the United States. Next on the list is Thailand, with over 5000 assets. The distribution of internet-accessible assets underscores the need for cybersecurity strategies that adapt to the rapidly evolving digital landscape.
"The results of our study reveal that many financial institutions are struggling to close the priority security gaps that put them at risk. Effective exposure management is key to closing these gaps," said Nigel Ng, Senior Vice President, Tenable APJ. “By identifying and securing vulnerable assets before they can be exploited, organisations can better protect themselves against the growing tide of cyberattacks.”
Cyber Hygiene Gaps
The Tenable study revealed many potential vulnerabilities and exposed several cyber hygiene issues among the study group, including outdated software, weak encryption, and misconfigurations. These vulnerabilities provide cybercriminals with easily exploitable potential entry points, posing a potential risk to the integrity and security of financial data.
Weak SSL/TLS Encryption
A notable finding is that among the total assets, organisations had nearly 2,500 still supporting TLS 1.0—a 25-year-old security protocol introduced in 1999 and disabled by Microsoft in September 2022. This highlights the significant challenge organisations with extensive internet footprints face in identifying and updating outdated technologies.
Misconfiguration Increases External Exposure
Another concerning discovery was that over 4,000 assets, originally intended for internal use, were inadvertently exposed and are now accessible externally. Failing to secure these internal assets poses a significant risk to organisations, as it creates an opportunity for malicious actors to target sensitive information and critical systems.
Lack Of Encryption
There were over 900 assets with unencrypted final URLs, which can present a security weakness. When URLs are unencrypted, the data transmitted between the user's browser and the server is not protected by encryption, making it vulnerable to interception, eavesdropping, and manipulation by malicious actors. This lack of encryption can lead to the exposure of sensitive information, such as login credentials, personal data, or payment details, and can compromise the integrity of the communication.
API Vulnerabilities Amplify Risk
The identification of over 2,000 API v3 out of the total number of assets among organisations' digital infrastructure poses a substantial risk to their security and operational integrity.
APIs serve as crucial connectors between software applications, facilitating seamless data exchange. However, inadequate authentication, insufficient input validation, weak access controls, and vulnerabilities in dependencies within API v3 implementations create a vulnerable attack surface.
Malicious actors can exploit such weaknesses to gain unauthorised access, compromise data integrity, and launch devastating cyber attacks.
"The cybersecurity landscape is evolving faster than ever, and financial institutions must evolve with it so they can know where they are exposed and take action to close critical risk," Ng added. “By prioritising exposure management, these organisations can better protect their digital assets, safeguard customer trust, and ensure the resilience of their operations in an increasingly hostile digital environment.” (ANI)