Fintech Cyber Security Survey

Hong Kong 2018

ww w.en t ers o ft s ecu rity.c om

 This Cyber Security Survey carried out by
Entersoft Security is a high level survey of
Hong Kong Fintech businesses as on
2018. The survey was carried out in July
2018 against the top HongKong based
Fintech’s in 2017 and early 2018. It helps
these Fintech organisations understand the
nature and significance of the cyber security
threats that they may face and what they
would need to do improve security.

High Scores correspond to Low

Security Risk.
Executive Summary:
The Cyber Security Survey 2018 comprised a technical survey Risk Level Score Range
of 100+ Hong Kong based upcoming businesses engaged
in various segments across the fintech sectors from the year
Score > 8000
2017-2018. Low risk of security

Low controls being

compromised with
Main findings from the Fintech companies in Hong Kong that negligible impact as a
were surveyed: result.

A vast majority had scores higher than the 3000 mark,

putting them in the Medium Risk segment in terms of
Score > 6000
cybersecurity. Medium risk of security
controls being
1/3rd of the fintechs surveyed had not configured SPF Medium compromised with the
possibility of limited
(Senders Policy Framework), 3/4th of the fintechs had financial losses
not configured DKIM and DMARC, thereby making occurring as a result.

them vulnerable to phishing attacks.

70% of the fintechs have not setup a privacy policy &
2000 > Score < 6000
terms page or have not displayed the links for the same High risk of security
on the front page. GDPR compliance as of 2018 should controls being

be a major concern especially more so for fintechs.

High compromised with the
potential for significant
financial losses
42% of the surveyed fintechs have been found to be occurring as a result.

susceptible to the SSL CRIME Vulnerability, however

less than 7% of them have also been found to be
Score < 2000
susceptible to the SSL Poodle vulnerability. Extreme risk of
security controls being
A vast majority of the fintechs surveyed had not enabled
any protection from XSS attacks. While a sizeable
Critical compromised with the
possibility of
catastrophic financial
majority, 44% of the fintechs have not configured a losses occurring as a
result.
Web application Firewall (WAF), thereby making them
vulnerable to a wide range of web attacks.
Average Scores

These average security scores across the various industries in Hong Kong clearly show
that majority of the Fintechs surveyed have not done enough, when it comes to securing
their web infrastructure online. This technical survey has been conducted with out any
security assessments. Open Source Intelligence has been gathered to understand the
security posture of the Fintechs. This does not include OWASP top 10 security testing.
According to the Verizon report, In 2016, financial and espionage were still the top two
motives combining to account for 93% of breaches.
Application
Security
Simplified
Web Applications are the life of a business. We at Entersoft security are dedicated
to strengthening this lifeline by bridging the gap between security and
development.

Our best in class Application Security experts will substantially improve your
Application Security Posture. We simplify Application Security through our award-
winning Security Assessments, Security Monitoring and improve your App
Security Maturity.

ww w.en t ers o ft s ecu rity.c om

Phishing Configuration

Phishing attacks have been on the rise for quite some time now.

According to the APWG (the Anti-Phishing Working Group) report , The financial services
industry has more companies being targeted by phishing than in any other industry sector.

A significantly large number of abusive email messages originate from a forged address
which is an easy task for even the noob hackers, by misdirecting the mail servers.

One of the most effective ways of preventing a spammer from spoofing your address and
potentially dirtying your domain name is to create an SPF or Sender Policy Framework
record in your DNS zone. SPF records prevent sender address forgery by protecting the
envelope sender address, allowing the domain administrator to specify which mail server
are allowed to send mail from their domain.

This anti-spam method however requires that you have a properly formatted SPF record
and the receiving server has the ability to check if the message complies with this record.
SPF is an open standard and is constantly updated by the vast community of its
supporters.
 Phishing Configuration

SPF Configuration DKIM Configuration

DMARC Configuration DNSSEC Configuration

SPF, DMARC and DKIM are the 3 key components of Email Security.

A large majority of organizations, end up configuring them incorrectly or just configuring one or the other of these
components. All three of these components are required to work effectively to secure email systems. Our Survey shows that
a large majority of over 75 percent have not configured DKIM and DMARC and about 1/3rd of them have not even
configured SPF at all.

DNSSEC
Recently vulnerabilities in the DNS system were discovered that allow an attacker to hijack process of looking some one up
or looking a site up on the Internet using their name. The purpose of the attack is to take control of the session to, for
example, send the user to the hijacker's own deceptive web site for account and password collection.
DNSSEC was created to counter these vulnerabilities, by digitally signing the data. Around 89% were found to have not
configured DNSSEC in the survey conducted.
 Privacy Configuration

Privacy Page Terms Page

From our survey, we have found over 70% of Fintechs scanned have either not setup a terms page or privacy page.

Information security and privacy have been seen as completely separate concerns although there are large areas of
interdependencies among them. In the current days of GDPR regulation, one needs to strike a balance between information privacy
and security to safeguard data.

According to David Hoffman, the director of intel’s security policy & global policy - Trust is what customers are looking for; it's a
business enabler.

Security is about protecting people and assets, either physical or digital. Privacy is a level of respect for an individual's desire to be
left alone and/or have the ability to control the data that relates to them, so they are not negatively impacted by the use of that data
in some form. In my opinion, organisation that are able to successfully align and connect these concepts in their practical
implementation stand a better chance in establishing trust.

GDPR, the EU regulation, which has been enforced from May 2018, is the single most important change in data privacy regulation in
the last 20 years, it replaces an outdated data protection directive from 1995.

GDPR was approved and adopted by the EU Parliament. GDPR not only applies to organisations located within the EU but it will
also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data
subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union,
regardless of the company’s location.

Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that
can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core
of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in
order.
 Security Configuration

CRIME Poodle

SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links
between a web server and a browser in an online communication.
Enabling SSL is a critical step in securing your web apps, however one must also be aware
that certain implementations of SSL are susceptible to vulnerabilities which can leave them
exposed.

From this Survey conducted, we have identified CRIME and Poodle to be the major ssl
vulnerabilities still lurking around.

CRIME is a client-side attack, that abuses SSL/TLS data compression feature to hijack
HTTPS sessions. Over 42% of the Fintechs in our survey were found to be susceptible to
the CRIME attack.

Poodle - stands for “Padding Oracle On Downgraded Legacy Encryption", This is a

protocol downgrade attack. Any website that supports SSLv3 is vulnerable to POODLE.
Less than 7% of the surveyed Fintechs were found to be susceptible to this vulnerability.
 Software Configuration
Web Application Firewall (WAF)
In the last few years, there has been a
notable rising trend in hacking against
Websites, web applications, and web
servers, thus making the numero uno target
of hackers. Web application firewalls are built
to trap malicious web traffic that security
appliances might miss before it reaches the
actual web server. A WAF can also help your
organisation becoming compliant with HIPAA
and PCI-DSS regulations. 44% of the
fintechs in our survey have not configured
a WAF thereby making the vulnerable to a
wide range of attacks.

XSS Configuration
Cross-site scripting, also known as XSS, is
basically a way to inject code that will
perform actions in the user’s browser on
behalf of a website. Less than 10% of
the fintechs surveyed had enabled XSS
protection. This has been a consistent
trend that shows up in the 2016 case
study of Scott Helme, a U. K. based
Cybersecurity Researcher.

Strict HTTPS
Strict HTTPS - lets a web site tell browsers
that it should only be accessed using
HTTPS, instead of using HTTP. This
mechanism helps to protect websites
against MITM (Man-in-the-middle) attacks,
protocol downgrade attacks and cookie
hijacking. Our survey shows that a little
over 1/3rd of of them had not configured
the strict https mechanism.
RISK Level Categorisation

The security risk graph shown above across the various industries in Hong Kong clearly
show that a majority of the Fintechs surveyed shown in Red & Orange colours stand at a
Higher probability of being hacked or vulnerable to simple attacks.
Security Scores

The security scores graph shown above across the various industries in Hong Kong
clearly show that a majority of the Fintechs surveyed have not done enough to protect
themselves against phishing attacks, which is consistent with reports of a rising trend in
phishing attacks globally.