5 ways the FTSE 250 falls down on web security (and 1 where they’re pretty good)

The FTSE 250 is good at keeping internet-facing SMB & Telnet exposure down but has work to do around HTTPS and DMARC.

As one of the main indexes in the country, the FTSE 250 is a cross-section of the UK business landscape. But how does the FTSE 250’s web security stack up compared the likes of the ASX 200 and Fortune 500?

A new Rapid7 Labs report measured the internet-facing security profiles of the FTSE 250 and selected other companies of comparable size and profile to understand the exposure of specific organisations and industry sectors to cybersecurity risks around email security, patch management & version control, SMB/Telnet exposure, encryption, and more. 

This report follows previous versions which looked at the internet-facing exposure of companies in the ASX 200  and Fortune 500.

internet of things smart home
thinkstock

1. FTSE 250 companies have an average of 35 systems exposed to the internet

With an average of 35 systems exposed to the internet, the FTSE 250 is slightly more open than  the ASX 200 (29) but much less so than compared to the Fortune 500 (500).

“That number just kind of is what it is,” says Tod Beardsley, Director of Research at Rapid7. “It's not good and bad, but it like gives people an idea, especially in IT, an idea of what's a normal, large company, well-resourced IT department looking to maintain patch and do your continuous integration on the internet facing part of their business.”

Technology & communications, had the highest average of exposed systems with over 100. Hotels, restaurants and leisure was the next most exposed category, followed by equity investment. Only one company on the list had over 1,000 systems exposed online. Real Estate and Material & Mining were the least exposed categories of company.

Rapid7 recommends that companies should keep their internet-facing exposure to a minimum, and main a robust asset identification and configuration management processes in place to help avoid these systems becoming enterprise entry points for attackers.

“Exposure itself, in and of itself is not bad,” says Beardsley. “People are allowed to have websites, DNS servers and mail servers, some kind of secure transfer that's not FTP, they're allowed to have that. But in the aggregate, every new service you're standing up is another thing to take care of, it increases your attacks surface.”

cybersecurity
maxkabakov / Thinkstock

2. Most companies don’t have DMARC to help prevent phishing

The DMARC email authentication protocol designed to help protect email domains from spoofing and can help reduce the chance of criminals spoofing a company via email and lessen the chance of phishing attacks.

“DMARC was originally put out to help customers tell the difference between good or suspicious or spam,” says Beardsley, “But it turns out, that's also a really good protection for your employees; it's hard to pretend to be my CFO and try to extract something from me if you can't forge my domain just out of the gate.”

Over 70 percent of FTSE 250 companies have no DMARC protection in place, compared to 66 percent of the Fortune 500 and 67 percent of the ASX 200. Certain industries were better than others; technology & telecoms companies were nearly twice as likely to have DMARC protections in place, followed by the Aerospace, Defense, and Transportation industry.

“That uptake has been real sparse and it's surprising to me because at NCSC has done, I think, a pretty great job of like touting this. I do feel like DMARC is kind of table stakes now for managing email and should be like part and parcel part of life of email administrators' job.”

Beardsley says that he hopes uptake will increase if and when email providers start flagging a lack of DMARC in the same way that web browsers flag websites lacking HTTPS. And while he admits it can be a challenge to roll out, it should still be more of a standard by now.

“It is common wisdom at this point is that the phishing is your kind of number one vector for malware or information thieves, things like that, and DMARC is kind of your bare minimum here of how to deal with this.”

The Rapid7 recommends that HTTPS is the industry standard for all well-known domains, all FTSE 250 members should strive to remediate this as soon as possible and encrypt web traffic.

4 encryption keys
Thinkstock

3. Too many companies still don’t encrypt web traffic

Despite nearly 80 percent of web traffic globally now being encrypted, 17 percent of FTSE 250 organisations do not auto-upgrade HTTP requests to HTTPS. This can leaves visitors open to man-in-the-middle attacks, and given that browsers often mark HTTP sites as unsafe, can hurt perception around a company’s security posture.

“There was a surprising amount of HTTP web servers amongst the FTSE 250, it's way higher than the other two that we've looked at so far [ASX 200/Fortune 500]. Which was especially surprising because the UK is one of those regions where you guys are nuts about cookies, and many of those persistent cookies can be an attack vector.”

Patch + update options  >  Pixelized tools + refresh symbol with branching paths
Pashaignatov / Getty Images

4. Half of companies are running multiple versions of web servers

Version control of web servers amongst the FTSE 250 is worse than its Australian counterpart.

The most common number of Microsoft IIS, Apache HTTPD, and NGINX versions maintained was one. However, more than half of companies were maintaining more than one version of web server platforms. Nine companies were maintaining five different versions of Microsoft IIS. The largest number of Apache versions maintained by one company was 17, while one company was found to be managing 29 versions of NGINX.

The ASX saw around half just running one version of a web server, and the most versions of IIS being maintained was five. However, it did have one company running 13 versions of Apache, and another running 13 versions of NGINX. Rapid7 did not look at web server version control in its Fortune 500 study.

While running multiple versions of different web servers should be within the capabilities of decently-resourced teams are large companies, more versions to manage only increase the risk potential of an attacker finding a way through. Rapid7 recommends organisations keep an up-to-date inventory and ensure they are using supported and patched versions of software.

“It may not be so bad that you're running 10 versions of Apache, all of which are in life and getting security updates. But that's a lot of work and makes it a lot easier to miss something.”

labyrinth maze easy access bypass breach  by altayb getty
altayb / Getty Images

5. UK companies aren’t good at hiding which services they use

Like the Fortuner 500 and the ASX 200, all of the FTSE 250 is guilty of exposing metadata if the third-party service they use within their DNS records.

Many services – including Google’s G Suite -- do DNS verification through TXT records. These will often only be one-time occurrences, but companies will rarely remove the records once verification is complete. While these records aren’t harmful in themselves, they can give attackers an insight into an environment by highlighting any third-party services being used and possibly help them identify a route into your organization.

“It's like a problem where you install an app on your phone,” explains Beardsley, “you use it once you forget about it forever. Getting rid of those helps obfuscate a little but what your internal IT looks like.”

Rapid7 found metadata highlighting third-party services in every industry, highlighting services around advertising, analytics, Content Delivery Networks, social media services, application development, filesharing, and more. As an example of how a list of services can be used by attackers, the Mage Cart group has made a name for itself by compromising JavaScript libraries of advertising services in order to install skimmers onto a number of large eCommerce sites.

Beardsley recommends that such records should be removed once the initial validation has occurred as a matter of ‘good cyber hygiene.’

“In most of the documentation, there's no note that says, 'after we verified, you can go ahead and delete this.’ I would recommend people delete them all, and if you have a vendor that is like continuously checking you'll know because suddenly your stuff won't work anymore, [but] it's easy to put it back.”

CSO  >  Access protocols  >  Pixelated digital check mark and process arrows.
Fatido / Getty Images

6. The UK is good at keeping SMB & Telnet exposure down

The Server Message Block (SMB) protocol has its roots back in the early 1980s and primarily used for file and printer sharing, as well as for access to remote services. However, it remains a popular avenue for attackers; WannaCry relied on the EternalBlue vulnerability within SMB.

SMB exposure amongst the FTSE 250 is almost zero, with just seven SMB assets exposed across the entire range of companies analysed. Telnet, a protocol dating back to the 1960s and lacking security safeguards such as authentication and encryption, was slightly more prevalent with 16 exposed systems in the study.

“At least in the FTSE 250, it feels like they really took it on the chin when Wannacry happened, and they really learned their lesson, which is great,” says Beardsley.

By comparison, the ASX had fewer exposed SMB services but over 20 exposed Telnet services. The Fortune 500, meanwhile, fared far worse and averaged 10 exposed SMB nodes and 10 Telnet services per organization.

“Getting that number of exposed SMB servers down to zero would be great,” he adds. “One is too many. And keep an eye on that, too. If you don't have a recent disaster it's easier to accidentally drop this stuff to the internet.”

“Continuously monitoring your own internet presence will go a long way towards helping your vulnerability management and your asset management.”

Copyright © 2019 IDG Communications, Inc.