ES
Uploaded byEntersoft Security
50 views

Fintech Cyber Security Survey Hong Knog 2018

This survey of over 100 Hong Kong fintech companies in 2017-2018 found that: - A majority had medium cybersecurity risks with scores over 6000 but below 8000. - Over 1/3 had not configured SPF and over 3/4 had not configured DKIM or DMARC, leaving them vulnerable to phishing. - 70% had not set up a privacy policy or terms page on their site, risking noncompliance with GDPR. - 42% were susceptible to the CRIME SSL vulnerability and under 7% to POODLE, showing risks from outdated encryption. - Over half had vulnerabilities like lack of XSS protection, WAF, or HTTPS that could enable attacks.

Business
Related topics:
Cyber-Security

Embed presentation

Download to read offline
Hong Kong 2018 Fintech Cyber Security Survey www.entersoftsecurity.com
This Cyber Security Survey carried out by Entersoft Security is a high level survey of Hong Kong Fintech businesses as on 2018. The survey was carried out in July 2018 against the top HongKong based Fintech’s in 2017 and early 2018. It helps these Fintech organisations understand the nature and significance of the cyber security threats that they may face and what they would need to do improve security. Executive Summary: The Cyber Security Survey 2018 comprised a technical survey of 100+ Hong Kong based upcoming businesses engaged in various segments across the fintech sectors from the year 2017-2018. Main findings from the Fintech companies in Hong Kong that were surveyed: A vast majority had scores higher than the 3000 mark, putting them in the Medium Risk segment in terms of cybersecurity. 1/3rd of the fintechs surveyed had not configured SPF (Senders Policy Framework), 3/4th of the fintechs had not configured DKIM and DMARC, thereby making them vulnerable to phishing attacks. 70% of the fintechs have not setup a privacy policy & terms page or have not displayed the links for the same on the front page. GDPR compliance as of 2018 should be a major concern especially more so for fintechs. 42% of the surveyed fintechs have been found to be susceptible to the SSL CRIME Vulnerability, however less than 7% of them have also been found to be susceptible to the SSL Poodle vulnerability. A vast majority of the fintechs surveyed had not enabled any protection from XSS attacks. While a sizeable majority, 44% of the fintechs have not configured a Web application Firewall (WAF), thereby making them vulnerable to a wide range of web attacks. Risk Level Score Range Low Score > 8000 Low risk of security controls being compromised with negligible impact as a result. Medium Score > 6000 Medium risk of security controls being compromised with the possibility of limited financial losses occurring as a result. High 2000 > Score < 6000 High risk of security controls being compromised with the potential for significant financial losses occurring as a result. Critical Score < 2000 Extreme risk of security controls being compromised with the possibility of catastrophic financial losses occurring as a result. High Scores correspond to Low Security Risk.
Average Scores These average security scores across the various industries in Hong Kong clearly show that majority of the Fintechs surveyed have not done enough, when it comes to securing their web infrastructure online. This technical survey has been conducted with out any security assessments. Open Source Intelligence has been gathered to understand the security posture of the Fintechs. This does not include OWASP top 10 security testing. According to the Verizon report, In 2016, financial and espionage were still the top two motives combining to account for 93% of breaches.
Application Security Simplified Web Applications are the life of a business. We at Entersoft security are dedicated to strengthening this lifeline by bridging the gap between security and development. Our best in class Application Security experts will substantially improve your Application Security Posture. We simplify Application Security through our award- winning Security Assessments, Security Monitoring and improve your App Security Maturity. www.entersoftsecurity.com
Phishing Configuration Phishing attacks have been on the rise for quite some time now. According to the APWG (the Anti-Phishing Working Group) report , The financial services industry has more companies being targeted by phishing than in any other industry sector. A significantly large number of abusive email messages originate from a forged address which is an easy task for even the noob hackers, by misdirecting the mail servers. One of the most effective ways of preventing a spammer from spoofing your address and potentially dirtying your domain name is to create an SPF or Sender Policy Framework record in your DNS zone. SPF records prevent sender address forgery by protecting the envelope sender address, allowing the domain administrator to specify which mail server are allowed to send mail from their domain. This anti-spam method however requires that you have a properly formatted SPF record and the receiving server has the ability to check if the message complies with this record. SPF is an open standard and is constantly updated by the vast community of its supporters.
SPF Configuration DKIM Configuration DMARC Configuration DNSSEC Configuration SPF, DMARC and DKIM are the 3 key components of Email Security. A large majority of organizations, end up configuring them incorrectly or just configuring one or the other of these components. All three of these components are required to work effectively to secure email systems. Our Survey shows that a large majority of over 75 percent have not configured DKIM and DMARC and about 1/3rd of them have not even configured SPF at all. DNSSEC Recently vulnerabilities in the DNS system were discovered that allow an attacker to hijack process of looking some one up or looking a site up on the Internet using their name. The purpose of the attack is to take control of the session to, for example, send the user to the hijacker's own deceptive web site for account and password collection. DNSSEC was created to counter these vulnerabilities, by digitally signing the data. Around 89% were found to have not configured DNSSEC in the survey conducted. Phishing Configuration
Privacy Page Terms Page From our survey, we have found over 70% of Fintechs scanned have either not setup a terms page or privacy page. Information security and privacy have been seen as completely separate concerns although there are large areas of interdependencies among them. In the current days of GDPR regulation, one needs to strike a balance between information privacy and security to safeguard data. According to David Hoffman, the director of intel’s security policy & global policy - Trust is what customers are looking for; it's a business enabler. Security is about protecting people and assets, either physical or digital. Privacy is a level of respect for an individual's desire to be left alone and/or have the ability to control the data that relates to them, so they are not negatively impacted by the use of that data in some form. In my opinion, organisation that are able to successfully align and connect these concepts in their practical implementation stand a better chance in establishing trust. GDPR, the EU regulation, which has been enforced from May 2018, is the single most important change in data privacy regulation in the last 20 years, it replaces an outdated data protection directive from 1995. GDPR was approved and adopted by the EU Parliament. GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order. Privacy Configuration
CRIME Poodle SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. Enabling SSL is a critical step in securing your web apps, however one must also be aware that certain implementations of SSL are susceptible to vulnerabilities which can leave them exposed. From this Survey conducted, we have identified CRIME and Poodle to be the major ssl vulnerabilities still lurking around. CRIME is a client-side attack, that abuses SSL/TLS data compression feature to hijack HTTPS sessions. Over 42% of the Fintechs in our survey were found to be susceptible to the CRIME attack. Poodle - stands for “Padding Oracle On Downgraded Legacy Encryption", This is a protocol downgrade attack. Any website that supports SSLv3 is vulnerable to POODLE. Less than 7% of the surveyed Fintechs were found to be susceptible to this vulnerability. Security Configuration
Software Configuration Strict HTTPS - lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. This mechanism helps to protect websites against MITM (Man-in-the-middle) attacks, protocol downgrade attacks and cookie hijacking. Our survey shows that a little over 1/3rd of of them had not configured the strict https mechanism. Strict HTTPS In the last few years, there has been a notable rising trend in hacking against Websites, web applications, and web servers, thus making the numero uno target of hackers. Web application firewalls are built to trap malicious web traffic that security appliances might miss before it reaches the actual web server. A WAF can also help your organisation becoming compliant with HIPAA and PCI-DSS regulations. 44% of the fintechs in our survey have not configured a WAF thereby making the vulnerable to a wide range of attacks. Web Application Firewall (WAF) Cross-site scripting, also known as XSS, is basically a way to inject code that will perform actions in the user’s browser on behalf of a website. Less than 10% of the fintechs surveyed had enabled XSS protection. This has been a consistent trend that shows up in the 2016 case study of Scott Helme, a U. K. based Cybersecurity Researcher. XSS Configuration
RISK Level Categorisation The security risk graph shown above across the various industries in Hong Kong clearly show that a majority of the Fintechs surveyed shown in Red & Orange colours stand at a Higher probability of being hacked or vulnerable to simple attacks.
Security Scores The security scores graph shown above across the various industries in Hong Kong clearly show that a majority of the Fintechs surveyed have not done enough to protect themselves against phishing attacks, which is consistent with reports of a rising trend in phishing attacks globally.

More Related Content

PDF
Topsec email security 2016
byNathan CAVRIL
 
PDF
3rd Part Cyber Risk Report - 2018
byNormShield
 
PDF
100+ Cyber Security Interview Questions and Answers in 2022
byTemok IT Services
 
PDF
Cyber Risk Management in the New Digitalisation Age - eSentinel™
byNetpluz Asia Pte Ltd
 
PDF
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
bySymantec
 
PDF
Security troubles in e commerce website
byDr. Raghavendra GS
 
PPTX
Symantec Security Refresh Webinar
byArrow ECS UK
 
PDF
Why Organisations Need_Barac
byBarac
 
Topsec email security 2016
byNathan CAVRIL
 
3rd Part Cyber Risk Report - 2018
byNormShield
 
100+ Cyber Security Interview Questions and Answers in 2022
byTemok IT Services
 
Cyber Risk Management in the New Digitalisation Age - eSentinel™
byNetpluz Asia Pte Ltd
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
bySymantec
 
Security troubles in e commerce website
byDr. Raghavendra GS
 
Symantec Security Refresh Webinar
byArrow ECS UK
 
Why Organisations Need_Barac
byBarac
 

What's hot

PDF
Symantec's Internet Security Threat Report for the Government Sector
bySymantec
 
PPTX
Security weekly september 28 october 4, 2021
byRoen Branham
 
PDF
Axxera End Point Security Protection
byShawn Crimson
 
PDF
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
byFitCEO, Inc. (FCI)
 
PDF
Webinar: Securing Mobile Banking Apps
byWultra
 
PDF
Enabling a Zero Trust strategy for SMS
byPaul Walsh
 
PDF
Cybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
byIntellias
 
PDF
Cyber threats sample
byRichard Smiraldi
 
DOCX
A Case study scenario on collaborative Portal Risk Assessment
byVictor Oluwajuwon Badejo
 
PDF
Cyber Threats Presentation Sample
byRichard Smiraldi
 
PDF
UK Cyber Vulnerability Index 2013
byMartin Jordan
 
PDF
Cybersecurity in Banking Sector
byQuick Heal Technologies Ltd.
 
PDF
Email Security Threats: IT Manager's Eyes Only
byTopsec Technology
 
PPTX
5 Cybersecurity threats in Public Sector
bySeqrite
 
PPTX
LastPass 2021
byBruce Ma
 
PDF
ESG Validates Proofpoint’s Ability to Stop Advanced Email-based Attacks
byProofpoint
 
DOCX
What you need to know about cyber security
byCarol Meng-Shih Wang
 
PDF
[Infographic] Data Loss Prevention
bySeqrite
 
PDF
KPMG Publish and Be Damned Cyber Vulnerability Index 2012
byCharmaine Servado
 
PDF
Analyst sample Presentation
byRichard Smiraldi
 
Symantec's Internet Security Threat Report for the Government Sector
bySymantec
 
Security weekly september 28 october 4, 2021
byRoen Branham
 
Axxera End Point Security Protection
byShawn Crimson
 
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
byFitCEO, Inc. (FCI)
 
Webinar: Securing Mobile Banking Apps
byWultra
 
Enabling a Zero Trust strategy for SMS
byPaul Walsh
 
Cybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
byIntellias
 
Cyber threats sample
byRichard Smiraldi
 
A Case study scenario on collaborative Portal Risk Assessment
byVictor Oluwajuwon Badejo
 
Cyber Threats Presentation Sample
byRichard Smiraldi
 
UK Cyber Vulnerability Index 2013
byMartin Jordan
 
Cybersecurity in Banking Sector
byQuick Heal Technologies Ltd.
 
Email Security Threats: IT Manager's Eyes Only
byTopsec Technology
 
5 Cybersecurity threats in Public Sector
bySeqrite
 
LastPass 2021
byBruce Ma
 
ESG Validates Proofpoint’s Ability to Stop Advanced Email-based Attacks
byProofpoint
 
What you need to know about cyber security
byCarol Meng-Shih Wang
 
[Infographic] Data Loss Prevention
bySeqrite
 
KPMG Publish and Be Damned Cyber Vulnerability Index 2012
byCharmaine Servado
 
Analyst sample Presentation
byRichard Smiraldi
 

Similar to Fintech Cyber Security Survey Hong Knog 2018

PDF
Information Security
byMadushan Sandaruwan
 
PDF
Top 5 Cybersecurity Risks in Banking
bySeqrite
 
PDF
Data security in the age of GDPR – most common data security problems
byExove
 
PPT
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
byAlan Kan
 
PPTX
Securing Fintech: Threats, Challenges & Best Practices
byUlf Mattsson
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PPTX
11 19-2015 - iasaca membership conference - the state of security
byMatthew Pascucci
 
PDF
How Vulnerable Is Your Industry to Cyber Crime?
byDavid Hunt
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
4th Digital Finance Forum, Simon Brady
byStarttech Ventures
 
PDF
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
PPTX
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
PDF
IRJET- Data Privacy and Security Industry – Opportunities and Challenges
byIRJET Journal
 
PDF
Cybersecurity- Role of FinTech
byHarshit Verma
 
PPTX
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
PPTX
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
byMd Raffiqunnabi Rumman
 
PPTX
A practical data privacy and security approach to ffiec, gdpr and ccpa
byUlf Mattsson
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
PPTX
Breakfast Briefings - February 2018
byPKF Francis Clark
 
PDF
Secure and Compliant Data Management in FinTech Applications
byLionel Briand
 
Information Security
byMadushan Sandaruwan
 
Top 5 Cybersecurity Risks in Banking
bySeqrite
 
Data security in the age of GDPR – most common data security problems
byExove
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
byAlan Kan
 
Securing Fintech: Threats, Challenges & Best Practices
byUlf Mattsson
 
Application Security - Your Success Depends on it
byWSO2
 
11 19-2015 - iasaca membership conference - the state of security
byMatthew Pascucci
 
How Vulnerable Is Your Industry to Cyber Crime?
byDavid Hunt
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
4th Digital Finance Forum, Simon Brady
byStarttech Ventures
 
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
IRJET- Data Privacy and Security Industry – Opportunities and Challenges
byIRJET Journal
 
Cybersecurity- Role of FinTech
byHarshit Verma
 
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
byMd Raffiqunnabi Rumman
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
byUlf Mattsson
 
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
Breakfast Briefings - February 2018
byPKF Francis Clark
 
Secure and Compliant Data Management in FinTech Applications
byLionel Briand
 

Recently uploaded

PDF
Comments on Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
PDF
How to Buy Verified Bybit Accounts in 2026.pdf
bymarketing
 
PDF
Sylvester Konadu Worcester MA - A Trusted Worcester Tech Professional
bySylvester Konadu Worcester
 
PDF
Best Place to Learn Old or Aged Verified Paysera Accounts in WWW.pdf
byTopSelleriT
 
PDF
HISTORY pdf for all exam sitabkkjj hhbgg
bydevpanwar7152
 
PDF
Certification Training Course On New Skills Across Globe
bySprintzeal
 
PDF
ICv2 White Paper - Navigating the New World of Comics
byDennisViau
 
PPTX
Legal Matters - Session 4 - Presentation
byshannonzipoy1
 
PDF
Where to Buy Facebook Accounts safely.pdf
bysmmsellerit.com
 
PDF
What Is the Fastest Way to Buy Facebook Accounts.pdf
byFacebook Accounts
 
PDF
Keppel Ltd. 2H & FY 2025 Results Presentation Slides
byKeppelCorporation
 
PPTX
5, Money Number Tax and Wages 19072017.pptx
byAdrian Hawkes
 
PDF
Prasenjit Bhaumik Plano - Proficient In JavaScript, Python, And Database Mana...
byPrasenjit Bhaumik Plano
 
DOCX
Buy Instagram Account Purchase_ A Safe and Secure Approach.docx
bybarbeymcdanielokczz
 
DOCX
Buy Verified Cash App Accounts In The Us
bysebastianparsonst8
 
DOCX
What Are Telegram Accounts and Why Are They Important for Global Communicatio...
byx24gm4qs23vusc8s2b53
 
PDF
KGA - Governing administration in a consolidated market
byHenry Tapper
 
PDF
Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
PPTX
Levels of Management: Top, Middle and Lower Management Explained
bychrispshajugig
 
PDF
Precision Agriculture 2026: Using Drones for Targeted Insecticide and Herbici...
byDhanuka Agritech Limited
 
Comments on Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
How to Buy Verified Bybit Accounts in 2026.pdf
bymarketing
 
Sylvester Konadu Worcester MA - A Trusted Worcester Tech Professional
bySylvester Konadu Worcester
 
Best Place to Learn Old or Aged Verified Paysera Accounts in WWW.pdf
byTopSelleriT
 
HISTORY pdf for all exam sitabkkjj hhbgg
bydevpanwar7152
 
Certification Training Course On New Skills Across Globe
bySprintzeal
 
ICv2 White Paper - Navigating the New World of Comics
byDennisViau
 
Legal Matters - Session 4 - Presentation
byshannonzipoy1
 
Where to Buy Facebook Accounts safely.pdf
bysmmsellerit.com
 
What Is the Fastest Way to Buy Facebook Accounts.pdf
byFacebook Accounts
 
Keppel Ltd. 2H & FY 2025 Results Presentation Slides
byKeppelCorporation
 
5, Money Number Tax and Wages 19072017.pptx
byAdrian Hawkes
 
Prasenjit Bhaumik Plano - Proficient In JavaScript, Python, And Database Mana...
byPrasenjit Bhaumik Plano
 
Buy Instagram Account Purchase_ A Safe and Secure Approach.docx
bybarbeymcdanielokczz
 
Buy Verified Cash App Accounts In The Us
bysebastianparsonst8
 
What Are Telegram Accounts and Why Are They Important for Global Communicatio...
byx24gm4qs23vusc8s2b53
 
KGA - Governing administration in a consolidated market
byHenry Tapper
 
Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
Levels of Management: Top, Middle and Lower Management Explained
bychrispshajugig
 
Precision Agriculture 2026: Using Drones for Targeted Insecticide and Herbici...
byDhanuka Agritech Limited
 

Fintech Cyber Security Survey Hong Knog 2018

  • 1.
    Hong Kong 2018 FintechCyber Security Survey www.entersoftsecurity.com
  • 2.
    This Cyber SecuritySurvey carried out by Entersoft Security is a high level survey of Hong Kong Fintech businesses as on 2018. The survey was carried out in July 2018 against the top HongKong based Fintech’s in 2017 and early 2018. It helps these Fintech organisations understand the nature and significance of the cyber security threats that they may face and what they would need to do improve security. Executive Summary: The Cyber Security Survey 2018 comprised a technical survey of 100+ Hong Kong based upcoming businesses engaged in various segments across the fintech sectors from the year 2017-2018. Main findings from the Fintech companies in Hong Kong that were surveyed: A vast majority had scores higher than the 3000 mark, putting them in the Medium Risk segment in terms of cybersecurity. 1/3rd of the fintechs surveyed had not configured SPF (Senders Policy Framework), 3/4th of the fintechs had not configured DKIM and DMARC, thereby making them vulnerable to phishing attacks. 70% of the fintechs have not setup a privacy policy & terms page or have not displayed the links for the same on the front page. GDPR compliance as of 2018 should be a major concern especially more so for fintechs. 42% of the surveyed fintechs have been found to be susceptible to the SSL CRIME Vulnerability, however less than 7% of them have also been found to be susceptible to the SSL Poodle vulnerability. A vast majority of the fintechs surveyed had not enabled any protection from XSS attacks. While a sizeable majority, 44% of the fintechs have not configured a Web application Firewall (WAF), thereby making them vulnerable to a wide range of web attacks. Risk Level Score Range Low Score > 8000 Low risk of security controls being compromised with negligible impact as a result. Medium Score > 6000 Medium risk of security controls being compromised with the possibility of limited financial losses occurring as a result. High 2000 > Score < 6000 High risk of security controls being compromised with the potential for significant financial losses occurring as a result. Critical Score < 2000 Extreme risk of security controls being compromised with the possibility of catastrophic financial losses occurring as a result. High Scores correspond to Low Security Risk.
  • 3.
    Average Scores These averagesecurity scores across the various industries in Hong Kong clearly show that majority of the Fintechs surveyed have not done enough, when it comes to securing their web infrastructure online. This technical survey has been conducted with out any security assessments. Open Source Intelligence has been gathered to understand the security posture of the Fintechs. This does not include OWASP top 10 security testing. According to the Verizon report, In 2016, financial and espionage were still the top two motives combining to account for 93% of breaches.
  • 4.
    Application Security Simplified Web Applications arethe life of a business. We at Entersoft security are dedicated to strengthening this lifeline by bridging the gap between security and development. Our best in class Application Security experts will substantially improve your Application Security Posture. We simplify Application Security through our award- winning Security Assessments, Security Monitoring and improve your App Security Maturity. www.entersoftsecurity.com
  • 5.
    Phishing Configuration Phishing attackshave been on the rise for quite some time now. According to the APWG (the Anti-Phishing Working Group) report , The financial services industry has more companies being targeted by phishing than in any other industry sector. A significantly large number of abusive email messages originate from a forged address which is an easy task for even the noob hackers, by misdirecting the mail servers. One of the most effective ways of preventing a spammer from spoofing your address and potentially dirtying your domain name is to create an SPF or Sender Policy Framework record in your DNS zone. SPF records prevent sender address forgery by protecting the envelope sender address, allowing the domain administrator to specify which mail server are allowed to send mail from their domain. This anti-spam method however requires that you have a properly formatted SPF record and the receiving server has the ability to check if the message complies with this record. SPF is an open standard and is constantly updated by the vast community of its supporters.
  • 6.
    SPF Configuration DKIMConfiguration DMARC Configuration DNSSEC Configuration SPF, DMARC and DKIM are the 3 key components of Email Security. A large majority of organizations, end up configuring them incorrectly or just configuring one or the other of these components. All three of these components are required to work effectively to secure email systems. Our Survey shows that a large majority of over 75 percent have not configured DKIM and DMARC and about 1/3rd of them have not even configured SPF at all. DNSSEC Recently vulnerabilities in the DNS system were discovered that allow an attacker to hijack process of looking some one up or looking a site up on the Internet using their name. The purpose of the attack is to take control of the session to, for example, send the user to the hijacker's own deceptive web site for account and password collection. DNSSEC was created to counter these vulnerabilities, by digitally signing the data. Around 89% were found to have not configured DNSSEC in the survey conducted. Phishing Configuration
  • 7.
    Privacy Page TermsPage From our survey, we have found over 70% of Fintechs scanned have either not setup a terms page or privacy page. Information security and privacy have been seen as completely separate concerns although there are large areas of interdependencies among them. In the current days of GDPR regulation, one needs to strike a balance between information privacy and security to safeguard data. According to David Hoffman, the director of intel’s security policy & global policy - Trust is what customers are looking for; it's a business enabler. Security is about protecting people and assets, either physical or digital. Privacy is a level of respect for an individual's desire to be left alone and/or have the ability to control the data that relates to them, so they are not negatively impacted by the use of that data in some form. In my opinion, organisation that are able to successfully align and connect these concepts in their practical implementation stand a better chance in establishing trust. GDPR, the EU regulation, which has been enforced from May 2018, is the single most important change in data privacy regulation in the last 20 years, it replaces an outdated data protection directive from 1995. GDPR was approved and adopted by the EU Parliament. GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order. Privacy Configuration
  • 8.
    CRIME Poodle SSL (SecureSockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. Enabling SSL is a critical step in securing your web apps, however one must also be aware that certain implementations of SSL are susceptible to vulnerabilities which can leave them exposed. From this Survey conducted, we have identified CRIME and Poodle to be the major ssl vulnerabilities still lurking around. CRIME is a client-side attack, that abuses SSL/TLS data compression feature to hijack HTTPS sessions. Over 42% of the Fintechs in our survey were found to be susceptible to the CRIME attack. Poodle - stands for “Padding Oracle On Downgraded Legacy Encryption", This is a protocol downgrade attack. Any website that supports SSLv3 is vulnerable to POODLE. Less than 7% of the surveyed Fintechs were found to be susceptible to this vulnerability. Security Configuration
  • 9.
    Software Configuration Strict HTTPS- lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. This mechanism helps to protect websites against MITM (Man-in-the-middle) attacks, protocol downgrade attacks and cookie hijacking. Our survey shows that a little over 1/3rd of of them had not configured the strict https mechanism. Strict HTTPS In the last few years, there has been a notable rising trend in hacking against Websites, web applications, and web servers, thus making the numero uno target of hackers. Web application firewalls are built to trap malicious web traffic that security appliances might miss before it reaches the actual web server. A WAF can also help your organisation becoming compliant with HIPAA and PCI-DSS regulations. 44% of the fintechs in our survey have not configured a WAF thereby making the vulnerable to a wide range of attacks. Web Application Firewall (WAF) Cross-site scripting, also known as XSS, is basically a way to inject code that will perform actions in the user’s browser on behalf of a website. Less than 10% of the fintechs surveyed had enabled XSS protection. This has been a consistent trend that shows up in the 2016 case study of Scott Helme, a U. K. based Cybersecurity Researcher. XSS Configuration
  • 10.
    RISK Level Categorisation Thesecurity risk graph shown above across the various industries in Hong Kong clearly show that a majority of the Fintechs surveyed shown in Red & Orange colours stand at a Higher probability of being hacked or vulnerable to simple attacks.
  • 11.
    Security Scores The securityscores graph shown above across the various industries in Hong Kong clearly show that a majority of the Fintechs surveyed have not done enough to protect themselves against phishing attacks, which is consistent with reports of a rising trend in phishing attacks globally.