Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/17/2018
11:36 AM
50%
50%

Lax Controls Leave Fortune 500 Overexposed On the Net

The largest companies in the world have an average of 500 servers and devices accessible from the Internet - and many leave thousands of systems open to attack.

Large companies are leaving easy-to-exploit systems exposed on the public Internet, raising the risk of a serious future compromise, according to data from two cybersecurity firms. 

Rapid7 found that the average Fortune 500 firm had approximately 500 servers and devices connected to the Internet, with five- to 10 systems exposing Windows file-sharing or Telnet services. Fifteen out of the 21 industry sectors on which Rapid7 collected data had at lease one member allowing public access to a Windows file-sharing service.

This simple-to-spot oversights suggest that companies do not have adequate control over what systems are connected to the public network, says Tod (CQ) Beardsley, research director of Rapid7, which published a report last week on its findings.

"I would advise everyone, from the Fortune 500 on down, to be aware of what you are exposing to the Internet," Beardsley says. "Any chance you have of taking something off the Internet—every device you take of the Internet is one less device for attackers to compromise." 

The report refutes the common wisdom that larger companies, with their greater resources and more skilled security teams, are better defended against cyberattacks than smaller firms. While it's easy to assume that larger firms generally have more resources to allocate to cybersecurity, they also have many more devices connected to the Net, a sprawling infrastructure. and a greater attack surface area. 

Both Rapid7's report and an earlier report by security ratings company BitSight found that larger firms were likely to have self-inflicted holes in their defenses. 

"Bigger doesn't always mean better," says Jake Olcott, vice president of government affairs for BitSight. "Just because you are a large organization with lots of resources doesn't necessary mean that your security performance is better. In general, the larger the organization, the larger the attack surface."

The reports show that companies need to focus on three main areas to button up their systems and eliminate the security issues for which attackers are constantly on the lookout.

Know Your Assets

Rapid7 had little trouble identifying the various systems and devices connected to the Internet. On average, Fortune 500 companies had 500 systems connected to the public network: overall, large companies should consider that the baseline for the number of systems that should be exposed to the network. A significant fraction of technology, business-service and financial firms had thousands of exposed servers, Rapid7 found.

"When you are that far off of the norm, that tells me you have an asset management problem," Beardsley says. "It tells me that those companies are just littered with vulnerable systems connected to the Internet." 

At least one company in each of the aerospace & defense, chemical, and retail industries had more than 20,000 systems accessible through the Internet, Rapid7 found.

Getting those assets under control is important. While many applications may warrant being connected to the Internet, the companies with greater than 1,000 connected systems are offering attackers a very enticing attack surface area.

Watch Outbound Traffic 

Both Rapid7 and BitSight regularly see traffic generated by compromised systems coming from Internet addresses assigned to large companies. Rapid7, for example, found that the healthcare, retail, and technology sectors all had a high incidence of malicious traffic coming from their networks.

In its 2017 report, How Secure Are America’s Largest Business Partners?, BitSight found that 15% of companies produced traffic suggesting a compromise by Conficker, malware that is almost a decade old. Other infections included Necurs, Bedep, and Zeus. "Many organizations are not aware of these issues inside their networks," BitSight's Olcott says. "The traffic is absolutely an indicator that there is something bad happening."

It's not clear from the traffic data whether companies are having trouble eradicating malware or if they just don't know about a system harboring malicious code, he says.

"It could be a governance issue or a technology issue, or it might be an employee-training and awareness issue," Olcott says. "The root cause — the challenge that these organizations have is it is very hard for them to get visibility into their environments."

Eliminate Easy-to-Exploit Services

For modern companies, there is no reason to expose either Windows file-sharing, Telnet, or file-transfer protocol (FTP) services to the public network. Yet, at least a third of companies are hosting serveers with one of those services available, according to BitSight data.

Exposing Windows file-sharing through the SMB protocol opens up companies to debilitating attacks such as WannaCry, NotPetya, and other ransomware. Companies in at least 15 of the 21 sectors monitored by Rapid7 have servers with Windows file-sharing available through the public network. And more than 48 companies of the Fortune 500 have Telnet exposed on the Net, the company says. 

"If you can get rid of all of the Internet-facing Telnet and SMB, you are miles ahead of the rest of the Internet, and you will avoid contributing to the next WannaCry," Rapid7's Beardsley says.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
1/8/2019 | 4:47:04 AM
Don't skimp on security
You would think that by now a lot of these companies would know better than to skimp on their security. But it seems like they haven't paid a price high enough yet for them to learn their lesson! I will take a page from this book and make sure my own facility is properly secure though! I don't want to risk having to learn this painful lesson if my company gets targeted! 
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
1/10/2019 | 11:40:51 PM
Open to easy risks
It is shocking to know that even large organisations are still letting themselves become vulnerable to potential risks which could have been avoided in the very first place with the tightest online security there is. This is the investment worth every penny that needs to be implemented without any doubt. There really isn't any point in having the greatest network around if it is just going to be taken over in no time.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.