Proprietary Research from Tenable Calculates External Attack Surface of Singapore’s Largest Organisations

New research conducted by Tenable®, Inc., the Exposure Management company, has uncovered more than 400,000 potential internet-facing vulnerabilities among Singapore’s top 25 companies by market capitalisation.  

On June 28, 2023, Tenable conducted an examination of the external attack surface of 25 of Singapore's organisations with the largest market capital (as listed on Companies Market Cap). The findings revealed that the average organisation possesses nearly 16,000 internet-facing assets susceptible to potential exploitation, resulting in a total of more than 400,000 assets across the study group.

“Singapore is one of Asia’s most advanced digital economies and tops the region in digital transformation. As digital adoption grows and becomes more interconnected, the immense scale of cybersecurity architecture needed to protect sensitive data and critical systems cannot be underestimated,” said Nigel Ng, Senior Vice President, Tenable APJ.

The Tenable study found a number of cyber hygiene issues such as outdated software, weak encryption and misconfigurations present within the largest organisations in Singapore. Cybercriminals constantly monitor these potential attack surfaces and look for entry points for exploitation. 

The study also found that the top 25 organisations in each of the following countries have more than 1 million combined potential Internet-facing vulnerabilities. 

“Despite its status as an advanced digital economy, Singapore emerged with the highest number of vulnerabilities among the countries studied. This is a clarion call for Singapore organisations to start recognising that every single internet-facing asset serves as a potential entry point for exploitation,” added Ng. “Attackers diligently monitor the attack surface maps of their targeted organisations, searching for vulnerabilities that organisations may not even be aware of. Companies must act now to gain better visibility of their potential attack surfaces, and work to better manage risks and prioritise mitigation.”

Weak SSL/TLS encryption 

 One striking observation is that out of the total number of assets in Singapore, organisations had over 200,000 that still support TLS 1.0 [a security protocol first defined in 1999 for establishing encrypted channels over computer networks] that was disabled by Microsoft in September [2022]. This is just one example demonstrating how challenging it’s become for organisations with large internet footprints to identify and update outdated technology.

Outdated version of Log4J still present
The examination revealed that out of the total assets in Singapore, over 8,000 are still susceptible to the Log4J vulnerability. This alarming finding highlights a significant concern, as known vulnerabilities like Log4J are the primary cause of a majority of cyberattacks. By relying on outdated versions of Log4J, organizations are leaving themselves exposed to potential cybersecurity breaches. 

Misconfiguration increases external exposure
Another alarming finding was that over 6,000 assets out of the total in Singapore, initially intended for internal use, have been inadvertently exposed and are now accessible externally. Not hardening these internal assets presents a substantial risk to organizations, as it effectively opens the door for malicious actors to target sensitive information and critical systems. 

API vulnerabilities amplify risk
Furthermore, the identification of over 6,000 APIs out of the total number of assets among organisations' digital infrastructure in Singapore poses a substantial risk to their security and operational integrity.

The identification of over 6,000 APIs within the digital infrastructure of organizations in Singapore poses a significant risk to their security and operational integrity.

APIs serve as crucial connectors between software applications, facilitating seamless data exchange. However, inadequate authentication, insufficient input validation, weak access controls, and vulnerabilities in dependencies within API v3 implementations create a vulnerable attack surface.

Such weaknesses can be exploited by malicious actors to gain unauthorised access, compromise data integrity, and launch devastating cyber attacks.

"An alarming reality is that only a handful of organisations possess a comprehensive understanding of their complete digital footprint. One of the most prevalent and perilous security oversights is the inadvertent misconfiguration of cloud resources, making them vulnerable to the internet," highlighted Nathan Wenzler, Chief Cybersecurity Strategist at Tenable. "It is crucial for every business or government entity to possess advanced capabilities that can identify previously invisible points of vulnerability. By proactively preventing attacks rather than merely managing them, organisations can effectively safeguard their digital infrastructure."

About Tenable
Tenable® is the Exposure Management company. Approximately 43,000 organisations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agencies. Learn more at tenable.com.

Notes to Editors:

1. Tenable examined the top 25 companies, listed on https://companiesmarketcap.com/singapore/largest-companies-in-singapore-by-market-cap/
    
2. In the context of this alert:

• An asset is a domain name, subdomain, or IP addresses and/or combination thereof of a device connected to the Internet or internal network. An asset may include, but not limited to web servers, name servers, IoT devices, network printers, etc. Example: foo.tld, bar.foo.tld, x.x.x.xs.
• The Attack Surface is from the network perspective of an adversary, the complete asset inventory of an organisation including all actively listening services (open ports) on each asset.

Media contact:
Tenable PR
[email protected]