Cyberattack Risk: Scans Find Big Businesses Exposed

) • June 12, 2019     10 Minutes   

Britain's biggest businesses continue to inappropriately expose a number of servers and services to the internet, putting the organizations and the data they store at risk, according to a new study by security firm Rapid7.

Rapid7 conducted a study of the U.K.'s 250 largest publicly traded firms, reviewing their overall attack surface - including the number of exposed devices and servers, the presence of dangerous or insecure services, their phishing defense posture, weak server configurations as well as cloud service exposure risks.

The resulting Industry Cyber-Exposure Report for the U.K. found that the studied organizations have, on average, just 35 internet-exposed services at risk of being compromised, while 88 percent of organizations have weak or nonexistent phishing defenses - for example, they fail to use DMARC - for their primary email domains. Most also were not running the latest version or security patches for at least some internet-facing, critical business systems.

"The bright spot of this report is that corporate U.K. has done a pretty great job of getting rid of SMB and telnet," says Tod Beardsley, director of security at Rapid7, in an interview with Information Security Media Group. "Which is good. This is telling me that the U.K. kind of took it on the chin with WannaCry and friends and they've really gotten the message - we need to be filtering this out, firewalling, not exposing this stuff by accident, actually looking to see what we have exposed. Things like that."

Evidence of Hacked Sites

But the news isn't all good. "We do see attack traffic emanating from the FTSE 250," he says, thanks to his firm's honeypots, which help detect when an organization has gotten hacked, or when its cloud services are exposing corporate data.

In this interview (see audio link below photo) at last week's Infosecurity Europe conference in London, Beardsley details:

The increase in SMB attack traffic; How fast-flux cloud service IP addresses can inadvertently self-compromise organizations, including their database connections; The "startling lack" of name-brand companies forcing HTTP connections to their site to redirect to HTTPS.

This study by Rapid7 of the FTSE 250 - a capitalization-weighted index consisting of the largest companies listed on the London Stock Exchange - updates the company's previous efforts to catalog outdated and unsecured internet protocols and devices (see: Scans Reveal 13 Million Internet-Exposed Databases). This study did not look at websites run by the government, non-profits or the education sector.

Beardsley is the director of security at Rapid7. He has over 20 years of hands-on security knowledge and experience, reaching back to the halcyon days of 2400 baud textfile BBSes and in-band telephony switching. Since then, he has held IT ops and IT security positions in large footprint organizations such as 3Com, Dell and Westinghouse, as both an offensive and defensive practitioner. Today, Beardsley often speaks at security and developer conferences on open source security software development, managing the human "Layer 8" component of security and software, and reasonable vulnerability disclosure handling.