Yet top publicly-traded companies are still hosting a high number of unpatched services with known vulnerabilities, especially in financial services, telecommunications.
In what is touted as ‘the most comprehensive census of the modern internet’, this year’s National/Industry/Cloud Exposure Report (NICER) has ranked the United States as the country most exposed to cybersecurity risk exposure.
Following the USA are China, South Korea, UK, Germany, Brazil, Russia, Japan, Canada, Iran, Italy, Argentina, Taiwan, Australia, Spain, France, India, Turkey, Hong Kong and Mexico.
NICER 2020 focuses on the risks and multinational prevalence of protocols that are inherently flawed or too dangerous to expose to the internet, such as FTP, Telnet, SMB and open, insecure databases.
A technical assessment of the 24 service protocols surveyed finds that, on the whole, unencrypted, cleartext protocols are still the rule on how information flows around the world. There are 42% more plaintext HTTP Web servers than encrypted HTTPS servers; three million databases awaiting insecure queries, and 2.9 million routers, switches and servers accepting Telnet connections.
Financial services and telcos remain exposed
The report by Rapid7, Inc. has found that the top publicly-traded companies in advanced economies are hosting a surprisingly-high number of unpatched services with known vulnerabilities, especially in financial services and telecommunications.
There are tens of thousands of high-rated CVEs (Common Vulnerabilities and Exposures) across the public-facing assets of these two sectors. Despite their vast collective reservoirs of wealth and expertise, this level of vulnerability exposure is unlikely to get better in a time of global recession, reported the authors.
The report analysed the exposure of companies listed on the ASX 200 in Australia, the Deutsche Börse Prime Standard 320, the Nikkei 225 in Japan, the UK FTSE 250+ and the US Fortune 500, giving each industry sector a grade of A, B, C or D. Industries graded D include Technology, Telecommunications, Financial Services, Healthcare, Pharma, Engineering, Construction, Industrials, Materials and Mining. Companies in these sectors correspond with the majority of breach and ransomware headlines in the last 12 months.
But internet exposure has ‘gotten somewhat better’
One positive finding is that the population of insecure services had gone down over the past year, with an average 13% decrease in exposed, dangerous services such as those based on the SMB and rsync file sharing protocols, and the Telnet remote computer access protocol. At the same time, more secure alternatives to insecure protocols, like SSH (Secure Shell) and DoT (DNS-over-TLS) increased overall.
These findings contradict the doom-and-gloom predictions by many commentators that there would be a jump of newly-exposed insecure services such as Telnet and SMB due to the sudden shift to work-from-home for millions of people, plus the continued rise of Internet of Things (IoT) devices crowding residential networks.
Australia also made significant strides in reducing its exposure in the last year. The exposure of plaintext FTP (file transfer protocol) services across the country, for example, was reduced by 56% in 2020 compared with the same period in 2019. This was one of the biggest improvements globally. SMB (Server Message Block, Microsoft Windows’ multi-purpose protocol used for file transfers) exposure in Australia was already fairly small in 2019 (just over 5000 servers exposed) and that footprint was further reduced to 4515 in 2020.
Australia’s remote access services exposure
There is still considerable room for improvement, however. NICER 2020 found there are still almost 40,000 systems exposing Microsoft Remote Desktop (RDP) and 4800 exposing Virtual Network Computer (VNC) remote access services in Australia. This puts organizations at risk of credential stuffing, brute force and exploit-based cyberattacks.
Australia is also fourth in the world with over 3,000 exposed Citrix ADC/Netscaler services used to provide remote access to applications and/or desktop environments. Also, only 73% of internet-facing Citrix systems have the latest patches or mitigations in place, with the remaining 27% either being vulnerable or woefully outdated.
Globally, patch and update adoption continue to be slow for a wide range of internet services, even for modern services with reports of active exploitation. This is particularly true in the areas of email handling and remote access where, for example, 3.6 million SSH servers are sporting versions between five and 14 years old.
Cyber attackers now targeting the human factor as well
Commented Neil Campbell, Vice President, APJ, Rapid7: “Organizations in Australia have actually improved the security of internet services in the last year. Unfortunately, cyber attackers have seen that and are now targeting the human factor as well. In addition to upgrading insecure services and patching systems, there are some fundamental human behaviours that have to be addressed. The only way to do that is through cyber awareness training.”
Campbell also sounded a warning about VPN concentrators and remote access services which many organizations have become more reliant on since the pandemic. “These have become the new Adobe Reader, which was a go-to attack vector at the height of its popularity and often went unpatched,” he said. “Even where the services are encrypted, the risk of remote code execution vulnerabilities or credential stuffing attacks means they are only really safe when patches are up to date and multi-factor authentication is used.”