Over 4,000 BFSI assets wrongly exposed in SEA

About 300 internet-facing assets can be exploited.

There are more than 26,500 potential internet-facing assets amongst Southeast Asia's leading banking, financial services, and insurance (BFSI) companies, revealed Tenable. 

The findings revealed an average of nearly 300 internet-facing assets per organisation that could be exploited.

Singapore led the region with over 11,000 internet-facing assets identified across its top 16 BFSI companies, with more than 6,000 of those assets hosted in the United States. Thailand followed with over 5,000 assets. 

Tenable’s research highlighted several cyber hygiene issues, including outdated software, weak encryption, and misconfigurations, which present exploitable entry points for cybercriminals. 

Notably, nearly 2,500 assets were found still supporting TLS 1.0, a 25-year-old security protocol that was disabled by Microsoft in September 2022. 

Additionally, over 4,000 assets initially intended for internal use were exposed externally, and more than 900 assets had unencrypted final URLs, posing significant security risks.

The study also uncovered vulnerabilities in API implementations, with over 2,000 API v3 identified. These APIs are crucial for software applications' data exchange but present a substantial risk when not properly secured.

The study, conducted on 15 July, examined over 90 BFSI organisations with the largest market capitalisations across Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam.