Over 400,000 potential Internet-facing vulnerabilities have been uncovered among Singapore’s top 25 companies by market capitalisation, according to cybersecurity firm Tenable.
This figure is the highest among the four Asia-Pacific countries it had polled in a study released yesterday.
“Despite its status as an advanced digital economy, Singapore emerged with the highest number of vulnerabilities among the countries studied,” said Nigel Ng, senior vice-president for Tenable APJ.
“This is a clarion call for Singapore organisations to start recognising that every single internet-facing asset serves as a potential entry point for exploitation,” he noted.
Cybercriminals constantly monitor these potential attack surfaces and look for entry points for exploitation. When organisations proactively address vulnerabilities in the external attack surface, it helps reduce risk from cyber attacks, data breaches, and unauthorised access.
Cyber hygiene issues faced by the largest organisations in Singapore, were the same ones faced by organisations in India, Australia and Japan. These included outdated software, weak encryption and misconfigurations.
An example of outdated software is the support for TLS 1.0, a security protocol first defined in 1999 for establishing encrypted channels over computer networks, that has since been disabled by Microsoft in September 2022.
The top 25 companies in Singapore have 200,000 Web-based assets that still support TLS 1.0. In India, there are 80,000 such assets, 9,500 in Australia, and 7,000 in Japan.
Many assets among the companies are also susceptible to the well-publicised Log4J vulnerability that plagued organisations more than a year ago.
This is a major concern as it is still the primary cause of a majority of cyberattacks. In Singapore, 8,000 assets are susceptible, 40,000 in India, 8,000 in Australia and 4,000 in Japan.
Another concerning discovery was that over 6,000 assets in top companies in Singapore, 8,000 in India, 12,000 in Australia, and 12,000 in Japan meant for internal use, have been inadvertently exposed and accessible externally.
This poses significant risks, as it opens the door for malicious attackers to attack sensitive information and critical systems.
In addition, more than 6,000 APIs from the total number of assets within the top Singaporean organisation’s digital infrastructure pose a significant security risk. In both India and Australia, 4,000 APIs are affected, while 6,000 APIs in Japan are vulnerable.
APIs serve as key connectors between software applications, enabling seamless data exchange. However, poor authentication, poor input validation, weak access controls, and dependency vulnerabilities within the API v3 implementation create a vulnerable attack surface.
Such vulnerabilities can be exploited by malicious attackers to gain unauthorised access, compromise data integrity, and launch attacks.
“An alarming reality is that only a handful of organisations possess a comprehensive understanding of their complete digital footprint,” said said Nathan Wenzler, chief cybersecurity strategist at Tenable.
“One of the most prevalent and perilous security oversights is the inadvertent misconfiguration of cloud resources, making them vulnerable to the internet,” he noted.
“It is crucial for every business or government entity to possess advanced capabilities that can identify previously invisible points of vulnerability,” he added.
