A deep dive into the security of Fortune 500 organizations reveals they have improved, albeit "slowly and unevenly," with gains made in email security and vulnerability disclosure programs (VDPs) and progress lagging in asset management and high-risk services, researchers report.
Rapid7's "Internet Cyber-Exposure Report" aims to highlight critical security issues for the CISO, IT security staff, and internal business partners in an enterprise. Its analysis is broken down into five areas of risk: email security, encryption for public Web applications, version management for Web and email servers, risky protocols unsuitable for the Internet, and the increase in VDPs.
Starting with the positive trends, email security improved within the Fortune 500 as valid Domain-based Message Authentication, Reporting, and Conformance (DMARC) configurations reached 379, a 13% increase from 314 at the end of 2019. This means roughly 76% of the Fortune 500 has valid DMARC implementations, though adoption is highest in finance.
A properly implemented DMARC system can pinpoint illegitimate emails and determine how those messages should be handled. Depending on the IT administrator, DMARC can be configured to handle suspicious emails with different degrees of severity. The system can help block business email compromise (BEC) attacks, a common attack against the Fortune 500.
"That gets slightly harder when you have good DMARC," Tod Beardsley, director of research for Rapid7, says of BEC. If an employee gets an email from the CFO requesting a wire transfer, chances are higher it's actually the CFO sending the request.
Another promising finding was in the growth of VDPs. Of the top 100 companies studied, 46 have a VDP. While the percentage of all Fortune 500 companies running a VDP is lower, at 20%, it's more than double the 9% that had a VDP back in 2019.
Not all VDPs are the same; for example, some may run a bug bounty program with a wealth of terms that may dissuade well-meaning researchers. "But what it does tell researchers is they have thought about it, they have a procedure, they have the capability of triaging," he notes.
Still, there are significant differences in VDP adoption across industries. Technology is the only industry in the Fortune 500 in which most businesses have a VDP. While all major companies have some technical components, nearly 80% of the top US companies outside of tech lack a formal VDP, which discourages the responsible disclosure of vulnerabilities and data leaks.
Room for Improvement: Asset and Patch Management
The range of systems, technologies, and business processes in the Fortune 100 present daily challenges for even the largest organizations and most mature security teams.
Rapid7 researchers found within a single technology stack (Web servers), firms across business services, finance, healthcare, leisure, industrials, media, and technology expose 10 or more different versions of Apache and/or Nginx. All industries have one or more businesses exposing at least three different versions of Internet Information Services (IIS). This expands the attack surface and impedes patching.
"There are at least over 81 distinct versions of Nginx, 70 distinct versions of Apache, and 15 — yes, 15 — distinct versions of IIS running across Fortune 500 members," the researchers report. In the Fortune 500, this issue may stem from frequent acquisitions of smaller organizations.
"A given Fortune 500 company will tend to acquire other companies, and they tend to split off into different companies but they have a lot of churn on their network," Beardsley explains. As a big enterprise buys smaller businesses, its footprint changes. A Fortune 500 CISO may have ensured it was running one version of Nginx, but its acquired company may have less discipline.
He advises boards of directors to involve the CISO in M&A discussions, "because they're going to be the one who has to fix it once you acquire them." Updating systems to the same version isn't a task that can wait. If a new company enters the environment and is standardized on something different, it's essential to have a process that gets everyone to the same point.
Of course, newly acquired companies aren't the only obstacle Fortune 500 companies face when it comes to patching and asset management. Like many older companies, they have a lot of legacy systems to worry about. While smaller startups built in the cloud often have zero infrastructure, businesses in the Fortune 500 still have assets in data centers to manage.
"Asset management is a huge problem," says Beardsley. "Asset management is a kind of precursor to vulnerability management and patch management. If you don't have a good handle on your asset management … everything else suffers from that."
The Danger of Internet-Facing Services
Rapid7 researchers sought to learn how well the Fortune 500 was doing in leaving high-risk services exposed on the Internet, so they focused on Server Message Block (SMB), Remote Desktop Protocol (RDP), and Telnet because they're commonly used in these businesses.
Of the hosts exposing SMB, 95% provided a hostname, 91% leaked the DNS name of the host, and 92% leaked the fully qualified domain name configured on the host. RDP 403 services were detected in 61 companies, especially in technology, healthcare, and finance. The finance industry had the most Telnet exposure, with 61% of the total.
Researchers note that "any non-zero number" of these services made available to the public Internet is considered unacceptable in businesses with mature security programs. While it has been a while since the last major worm outbreak, NotPetya (SMB), WannaCry (SMB), and Mirai (Telnet) all leveraged the aforementioned protocols.
"In my mind, there is no reason to expose SMB, which is the 'Windows everything' protocol," says Beardsley. "It's authentication, it's file sharing, it's print job serving, it's everything. … To put that on the Internet is inviting trouble, and we see that happen over and over again."
Researchers also found nearly 40% of Fortune 500 organizations still have at least one Internet-facing Microsoft Exchange server handling business-critical email. "When we measured in the beginning of Q1 2021, Exchange was all over the place," Beardsley says. After the recent disclosure of Exchange Server zero-days and ongoing active attacks, organizations started to focus more on the security of Exchange Servers.
"We did see a pretty significant move to hosted Exchange; things that are in Microsoft's Azure infrastructure versus on-premises Exchange," he adds. "That tends to be good."