Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/7/2021
03:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Fortune 500 Security Shows Progress and Pitfalls

Fortune 500 companies have improved on email security and vulnerability disclosure programs but struggle in asset management and high-risk services.

A deep dive into the security of Fortune 500 organizations reveals they have improved, albeit "slowly and unevenly," with gains made in email security and vulnerability disclosure programs (VDPs) and progress lagging in asset management and high-risk services, researchers report.

Rapid7's "Internet Cyber-Exposure Report" aims to highlight critical security issues for the CISO, IT security staff, and internal business partners in an enterprise. Its analysis is broken down into five areas of risk: email security, encryption for public Web applications, version management for Web and email servers, risky protocols unsuitable for the Internet, and the increase in VDPs.

Related Content:

Enterprises Remain Riddled With Overprivileged Users -- and Attackers Know It

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

Starting with the positive trends, email security improved within the Fortune 500 as valid Domain-based Message Authentication, Reporting, and Conformance (DMARC) configurations reached 379, a 13% increase from 314 at the end of 2019. This means roughly 76% of the Fortune 500 has valid DMARC implementations, though adoption is highest in finance.

A properly implemented DMARC system can pinpoint illegitimate emails and determine how those messages should be handled. Depending on the IT administrator, DMARC can be configured to handle suspicious emails with different degrees of severity. The system can help block business email compromise (BEC) attacks, a common attack against the Fortune 500.

"That gets slightly harder when you have good DMARC," Tod Beardsley, director of research for Rapid7, says of BEC. If an employee gets an email from the CFO requesting a wire transfer, chances are higher it's actually the CFO sending the request.

Another promising finding was in the growth of VDPs. Of the top 100 companies studied, 46 have a VDP. While the percentage of all Fortune 500 companies running a VDP is lower, at 20%, it's more than double the 9% that had a VDP back in 2019.

Not all VDPs are the same; for example, some may run a bug bounty program with a wealth of terms that may dissuade well-meaning researchers. "But what it does tell researchers is they have thought about it, they have a procedure, they have the capability of triaging," he notes.

Still, there are significant differences in VDP adoption across industries. Technology is the only industry in the Fortune 500 in which most businesses have a VDP. While all major companies have some technical components, nearly 80% of the top US companies outside of tech lack a formal VDP, which discourages the responsible disclosure of vulnerabilities and data leaks.

Room for Improvement: Asset and Patch Management
The range of systems, technologies, and business processes in the Fortune 100 present daily challenges for even the largest organizations and most mature security teams.

Rapid7 researchers found within a single technology stack (Web servers), firms across business services, finance, healthcare, leisure, industrials, media, and technology expose 10 or more different versions of Apache and/or Nginx. All industries have one or more businesses exposing at least three different versions of Internet Information Services (IIS). This expands the attack surface and impedes patching.

"There are at least over 81 distinct versions of Nginx, 70 distinct versions of Apache, and 15 — yes, 15 — distinct versions of IIS running across Fortune 500 members," the researchers report. In the Fortune 500, this issue may stem from frequent acquisitions of smaller organizations.

"A given Fortune 500 company will tend to acquire other companies, and they tend to split off into different companies but they have a lot of churn on their network," Beardsley explains. As a big enterprise buys smaller businesses, its footprint changes. A Fortune 500 CISO may have ensured it was running one version of Nginx, but its acquired company may have less discipline.

He advises boards of directors to involve the CISO in M&A discussions, "because they're going to be the one who has to fix it once you acquire them." Updating systems to the same version isn't a task that can wait. If a new company enters the environment and is standardized on something different, it's essential to have a process that gets everyone to the same point.

Of course, newly acquired companies aren't the only obstacle Fortune 500 companies face when it comes to patching and asset management. Like many older companies, they have a lot of legacy systems to worry about. While smaller startups built in the cloud often have zero infrastructure, businesses in the Fortune 500 still have assets in data centers to manage.

"Asset management is a huge problem," says Beardsley. "Asset management is a kind of precursor to vulnerability management and patch management. If you don't have a good handle on your asset management … everything else suffers from that."

The Danger of Internet-Facing Services
Rapid7 researchers sought to learn how well the Fortune 500 was doing in leaving high-risk services exposed on the Internet, so they focused on Server Message Block (SMB), Remote Desktop Protocol (RDP), and Telnet because they're commonly used in these businesses.

Of the hosts exposing SMB, 95% provided a hostname, 91% leaked the DNS name of the host, and 92% leaked the fully qualified domain name configured on the host. RDP 403 services were detected in 61 companies, especially in technology, healthcare, and finance. The finance industry had the most Telnet exposure, with 61% of the total.

Researchers note that "any non-zero number" of these services made available to the public Internet is considered unacceptable in businesses with mature security programs. While it has been a while since the last major worm outbreak, NotPetya (SMB), WannaCry (SMB), and Mirai (Telnet) all leveraged the aforementioned protocols.

"In my mind, there is no reason to expose SMB, which is the 'Windows everything' protocol," says Beardsley. "It's authentication, it's file sharing, it's print job serving, it's everything. … To put that on the Internet is inviting trouble, and we see that happen over and over again."

Researchers also found nearly 40% of Fortune 500 organizations still have at least one Internet-facing Microsoft Exchange server handling business-critical email. "When we measured in the beginning of Q1 2021, Exchange was all over the place," Beardsley says. After the recent disclosure of Exchange Server zero-days and ongoing active attacks, organizations started to focus more on the security of Exchange Servers.

"We did see a pretty significant move to hosted Exchange; things that are in Microsoft's Azure infrastructure versus on-premises Exchange," he adds. "That tends to be good."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27394
PUBLISHED: 2021-04-16
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions <...
CVE-2020-9667
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to to plant custom binaries and execute them with System permissions. Exploitation of this issue requires user interaction.
CVE-2020-9668
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. An unauthenticated attacker could exploit this to elevate privileges in the context of the current user.
CVE-2020-9681
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to rewrite the file of the administrator, which may lead to elevated permissions. Exploitation of this issue requires user interaction.
CVE-2021-26830
PUBLISHED: 2021-04-16
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.