sb-eu logo
Story image

Global banks fail to keep up with application security

15 Jul 2019

Many of the world’s largest banks are the cybersecurity equivalent of swiss cheese, with many that would fail GDPR compliance tests – an oversight that puts banks and their customers at risk.

A recent ImmuniWeb study on 100 banks across the world – including 36 in Asia and five in Australia – found that the organisations show an alarming lack of security across their banking applications.

In one case, the study found that one bank had an unpatched vulnerability that has existed since at least 2011 – suggesting that banks need to do more to ensure their systems are safe.
The study analysed three different aspects of bank security: compliance, security vulnerabilities, and website security.

Compliance: 

•    85 e-banking web application failed a GDPR compliance test
•    49 e-banking web applications failed a PCI DSS compliance test 
•    25 e-banking web applications are not protected by a web application firewall. 

Security vulnerabilities: 

•    Seven e-banking web applications contain known and exploitable vulnerabilities 
•    The oldest unpatched vulnerability is known and publicly disclosed since 2011 
•    92% of mobile banking applications contain at least one medium-risk security vulnerability 
•    100% of all banks have security vulnerabilities or issues related to forgotten subdomains

Website security 

Only three main websites out of 100 had the highest grades ''A+'' both for SSL encryption and website security:  Credit Suisse (Switzerland), Danske Banke (Denmark), and Handelsbanken (Sweden).

Given the non-intrusive nature of the research and formidable resources available to the top banks studied in the research, the findings urge financial institutions to revise their existing approaches to application security,” comments ImmuniWeb CEO and founder Ilia Kolochenko. 

“Most of the data breaches involve or start with insecure web and mobile apps that too frequently underprioritised by future victims. Unfortunately, most cybersecurity teams today carry a burdensome duty to meet compliance and regulatory requirements as the first priority and simply lack available resources to tackle other essential tasks. Eventually, they become low hanging fruits for cybercriminals.''

ImmuniWeb says that banks should:

1. Consider implementing Gartner’s CARTA strategy to enhance cybersecurity strategy.

2. Maintain a holistic and up-to-date inventory of assets located in the external attack surface, identify all software and its components used, run actionable security scoring on it to enable threat-aware and risk-based remediation.

3. Implement continuous security monitoring of external attack surfaces, test new code before and after deployment to production, start implementing DevSecOps approach to application security.

4. Consider leveraging machine learning and AI capacities to handle time-consuming and routine processes, freeing up security personnel for more important tasks.

Story image
Rising threat of data breaches among enterprises drives growth in network security revenue
"Key factors leading to the growth of network security market revenue in the Asia Pacific region includes instances of ransomware attacks, targeted attacks and phishing."More
Story image
Vectra expands NDR capabilities across all network environments
Vectra’s network threat detection and response (NDR) solution is designed to use cloud identities that track and link attacker activities and progression across all networks.More
Story image
DDoS attacks surge, becoming more sophisticated
After doubling from Q1 to Q2, the total number of network layer attacks observed in Q3 doubled again — resulting in a 4x increase in number compared to the pre-COVID levels in the first quarter. More
Story image
Acronis accelerates growth plans with CyberLynx acquisition
"Acquiring these capabilities will advance Acronis' mission to deliver world-class cyber protection to organisations around the world."More
Story image
Kaspersky unveils two major update to its Transparency Initiative
The company has announced the opening of a new Transparency Center, as well as the ompletion of a widespread transferal of data storage and processing activities to Switzerland.More
Story image
Video: 10 Minute IT Jams - SonicWall VP on the benefits of Boundless Cybersecurity
Today's interviewee will discuss the ins and outs of the company's Boundless Cybersecurity solution and how it can help APAC organisations adjust to the new normal, as well as explaining the 'cybersecurity business gap'.More