Southeast Asia's financial sector faces major cybersecurity risks

New research from Tenable has revealed substantial cybersecurity risks within Southeast Asia's financial sector.

The study identified over 26,500 internet-facing assets that are susceptible to potential exploitation across Singapore, Thailand, Malaysia, Indonesia, Vietnam, and the Philippines. This assessment examined the external attack surface of more than 90 leading banking, financial services, and insurance (BFSI) organisations by market capitalisation.

Singapore surfaced as the country with the highest number of internet-facing assets, totalling over 11,000 among its top 16 BFSI companies. A significant portion of these assets is hosted externally in the United States. Thailand followed with more than 5,000 assets. The findings underscore the widespread nature of cybersecurity challenges across the region.

"The results of our study reveal that many financial institutions are struggling to close the priority security gaps that put them at risk. Effective exposure management is key to closing these gaps," stated Nigel Ng, Senior Vice President, Tenable APJ. "By identifying and securing vulnerable assets before they can be exploited, organisations can better protect themselves against the growing tide of cyberattacks."

Several critical vulnerabilities have been identified. These include outdated software, weak SSL/TLS encryption, and misconfigurations, all of which create potential entry points for cybercriminals. Specific issues highlighted by the study include the use of outdated TLS 1.0 encryption protocol still supported by nearly 2,500 of the total assets evaluated. This protocol, introduced in 1999, was disabled by Microsoft in September 2022, highlighting the challenge institutions face in keeping their systems updated.

Another concerning finding revealed that over 4,000 assets, initially intended for internal use, were inadvertently made accessible externally. This misconfiguration poses a significant risk, creating opportunities for malicious actors to target sensitive information and critical systems.

Additionally, the study identified more than 900 assets with unencrypted final URLs. Such a security weakness leaves data transmitted between the user's browser and the server vulnerable to interception and manipulation by malicious actors. This lack of encryption can expose sensitive information such as login credentials, personal data, and payment details, compromising the integrity of the communication channel.

The research also flagged over 2,000 API v3 implementations as potential vulnerabilities. APIs are essential for connecting software applications and facilitating seamless data exchange. However, weaknesses in authentication, input validation, and access controls within these APIs create an exploitable attack surface. Malicious actors can leverage these weaknesses to gain unauthorised access, compromise data integrity, and launch cyber attacks.

Ng stressed the urgency of adopting robust cybersecurity strategies. "The cybersecurity landscape is evolving faster than ever, and financial institutions must evolve with it. By prioritising exposure management, these organisations can better protect their digital assets, safeguard customer trust, and ensure the resilience of their operations in an increasingly hostile digital environment."