Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:35 PM
Connect Directly

Fortune 500 Security Shows Progress and Pitfalls

Fortune 500 companies have improved on email security and vulnerability disclosure programs but struggle in asset management and high-risk services.

A deep dive into the security of Fortune 500 organizations reveals they have improved, albeit "slowly and unevenly," with gains made in email security and vulnerability disclosure programs (VDPs) and progress lagging in asset management and high-risk services, researchers report.

Rapid7's "Internet Cyber-Exposure Report" aims to highlight critical security issues for the CISO, IT security staff, and internal business partners in an enterprise. Its analysis is broken down into five areas of risk: email security, encryption for public Web applications, version management for Web and email servers, risky protocols unsuitable for the Internet, and the increase in VDPs.

Related Content:

Enterprises Remain Riddled With Overprivileged Users -- and Attackers Know It

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

Starting with the positive trends, email security improved within the Fortune 500 as valid Domain-based Message Authentication, Reporting, and Conformance (DMARC) configurations reached 379, a 13% increase from 314 at the end of 2019. This means roughly 76% of the Fortune 500 has valid DMARC implementations, though adoption is highest in finance.

A properly implemented DMARC system can pinpoint illegitimate emails and determine how those messages should be handled. Depending on the IT administrator, DMARC can be configured to handle suspicious emails with different degrees of severity. The system can help block business email compromise (BEC) attacks, a common attack against the Fortune 500.

"That gets slightly harder when you have good DMARC," Tod Beardsley, director of research for Rapid7, says of BEC. If an employee gets an email from the CFO requesting a wire transfer, chances are higher it's actually the CFO sending the request.

Another promising finding was in the growth of VDPs. Of the top 100 companies studied, 46 have a VDP. While the percentage of all Fortune 500 companies running a VDP is lower, at 20%, it's more than double the 9% that had a VDP back in 2019.

Not all VDPs are the same; for example, some may run a bug bounty program with a wealth of terms that may dissuade well-meaning researchers. "But what it does tell researchers is they have thought about it, they have a procedure, they have the capability of triaging," he notes.

Still, there are significant differences in VDP adoption across industries. Technology is the only industry in the Fortune 500 in which most businesses have a VDP. While all major companies have some technical components, nearly 80% of the top US companies outside of tech lack a formal VDP, which discourages the responsible disclosure of vulnerabilities and data leaks.

Room for Improvement: Asset and Patch Management
The range of systems, technologies, and business processes in the Fortune 100 present daily challenges for even the largest organizations and most mature security teams.

Rapid7 researchers found within a single technology stack (Web servers), firms across business services, finance, healthcare, leisure, industrials, media, and technology expose 10 or more different versions of Apache and/or Nginx. All industries have one or more businesses exposing at least three different versions of Internet Information Services (IIS). This expands the attack surface and impedes patching.

"There are at least over 81 distinct versions of Nginx, 70 distinct versions of Apache, and 15 — yes, 15 — distinct versions of IIS running across Fortune 500 members," the researchers report. In the Fortune 500, this issue may stem from frequent acquisitions of smaller organizations.

"A given Fortune 500 company will tend to acquire other companies, and they tend to split off into different companies but they have a lot of churn on their network," Beardsley explains. As a big enterprise buys smaller businesses, its footprint changes. A Fortune 500 CISO may have ensured it was running one version of Nginx, but its acquired company may have less discipline.

He advises boards of directors to involve the CISO in M&A discussions, "because they're going to be the one who has to fix it once you acquire them." Updating systems to the same version isn't a task that can wait. If a new company enters the environment and is standardized on something different, it's essential to have a process that gets everyone to the same point.

Of course, newly acquired companies aren't the only obstacle Fortune 500 companies face when it comes to patching and asset management. Like many older companies, they have a lot of legacy systems to worry about. While smaller startups built in the cloud often have zero infrastructure, businesses in the Fortune 500 still have assets in data centers to manage.

"Asset management is a huge problem," says Beardsley. "Asset management is a kind of precursor to vulnerability management and patch management. If you don't have a good handle on your asset management … everything else suffers from that."

The Danger of Internet-Facing Services
Rapid7 researchers sought to learn how well the Fortune 500 was doing in leaving high-risk services exposed on the Internet, so they focused on Server Message Block (SMB), Remote Desktop Protocol (RDP), and Telnet because they're commonly used in these businesses.

Of the hosts exposing SMB, 95% provided a hostname, 91% leaked the DNS name of the host, and 92% leaked the fully qualified domain name configured on the host. RDP 403 services were detected in 61 companies, especially in technology, healthcare, and finance. The finance industry had the most Telnet exposure, with 61% of the total.

Researchers note that "any non-zero number" of these services made available to the public Internet is considered unacceptable in businesses with mature security programs. While it has been a while since the last major worm outbreak, NotPetya (SMB), WannaCry (SMB), and Mirai (Telnet) all leveraged the aforementioned protocols.

"In my mind, there is no reason to expose SMB, which is the 'Windows everything' protocol," says Beardsley. "It's authentication, it's file sharing, it's print job serving, it's everything. … To put that on the Internet is inviting trouble, and we see that happen over and over again."

Researchers also found nearly 40% of Fortune 500 organizations still have at least one Internet-facing Microsoft Exchange server handling business-critical email. "When we measured in the beginning of Q1 2021, Exchange was all over the place," Beardsley says. After the recent disclosure of Exchange Server zero-days and ongoing active attacks, organizations started to focus more on the security of Exchange Servers.

"We did see a pretty significant move to hosted Exchange; things that are in Microsoft's Azure infrastructure versus on-premises Exchange," he adds. "That tends to be good."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-26
The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim...
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now t...
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now al...
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a...
PUBLISHED: 2021-10-26
Mycodo is an environmental monitoring and regulation system. An exploit in versions prior to 8.12.7 allows anyone with access to endpoints to download files outside the intended directory. A patch has been applied and a release made. Users should upgrade to version 8.12.7. As a workaround, users may...