sb-as logo
Story image

Global banks fail to keep up with application security

15 Jul 2019

Many of the world’s largest banks are the cybersecurity equivalent of swiss cheese, with many that would fail GDPR compliance tests – an oversight that puts banks and their customers at risk.

A recent ImmuniWeb study on 100 banks across the world – including 36 in Asia and five in Australia – found that the organisations show an alarming lack of security across their banking applications.

In one case, the study found that one bank had an unpatched vulnerability that has existed since at least 2011 – suggesting that banks need to do more to ensure their systems are safe.
The study analysed three different aspects of bank security: compliance, security vulnerabilities, and website security.

Compliance: 

•    85 e-banking web application failed a GDPR compliance test
•    49 e-banking web applications failed a PCI DSS compliance test 
•    25 e-banking web applications are not protected by a web application firewall. 

Security vulnerabilities: 

•    Seven e-banking web applications contain known and exploitable vulnerabilities 
•    The oldest unpatched vulnerability is known and publicly disclosed since 2011 
•    92% of mobile banking applications contain at least one medium-risk security vulnerability 
•    100% of all banks have security vulnerabilities or issues related to forgotten subdomains

Website security 

Only three main websites out of 100 had the highest grades ''A+'' both for SSL encryption and website security:  Credit Suisse (Switzerland), Danske Banke (Denmark), and Handelsbanken (Sweden).

Given the non-intrusive nature of the research and formidable resources available to the top banks studied in the research, the findings urge financial institutions to revise their existing approaches to application security,” comments ImmuniWeb CEO and founder Ilia Kolochenko. 

“Most of the data breaches involve or start with insecure web and mobile apps that too frequently underprioritised by future victims. Unfortunately, most cybersecurity teams today carry a burdensome duty to meet compliance and regulatory requirements as the first priority and simply lack available resources to tackle other essential tasks. Eventually, they become low hanging fruits for cybercriminals.''

ImmuniWeb says that banks should:

1. Consider implementing Gartner’s CARTA strategy to enhance cybersecurity strategy.

2. Maintain a holistic and up-to-date inventory of assets located in the external attack surface, identify all software and its components used, run actionable security scoring on it to enable threat-aware and risk-based remediation.

3. Implement continuous security monitoring of external attack surfaces, test new code before and after deployment to production, start implementing DevSecOps approach to application security.

4. Consider leveraging machine learning and AI capacities to handle time-consuming and routine processes, freeing up security personnel for more important tasks.

Story image
IronNet expands Asia Pacific presence with new strategic partnership
“The combination of M.Tech’s extensive network in Asia Pacific and our unparalleled expertise in threat intelligence and detection will help more enterprises across the region to proactively identify and take down known and unknown threats before they happen.”More
Story image
Fortinet promises free cybersecurity training until skills gap trend reverses
"We are committed to continue offering the entire catalogue of self-paced Network Security Expert training at no cost until we see the skills gap trend reverse."More
Story image
Cybersecurity spending to increase following SolarWinds hacking
Hackers breached software provider SolarWinds, directly infecting the company’s Orion software as well as several local, state and federal agencies.More
Story image
Kaspersky steps in to protect automotive industry from cyber threats
The company’s TI report, previously available for a selected range of customers, is able to provide car manufacturers with in-depth analysis of industry-specific security threats.More
Story image
IT professionals destroying end-of-life hardware over fears of data breaches - report
IT directors are destroying end of life tech hardware as opposed to erasing its data out of fear of making a mistake and facing data breaches.More
Story image
Cybersecurity strategies must involve every part of the organisation - study
In the past year, a third of the breaches incorporated social engineering techniques and the cost of a breach caused by a human error averaged to $3.33 million. More