Basic email security should be a top priority for UK firms, followed by reducing third-party web exposure and monitoring data flows leaving the enterprise, a Rapid7 study reveals
The security firm appraised the companies’ exposure to certain cyber security risks by scanning the internet for exposed systems and devices in the first quarter of 2019 and using data made available through interactions with public-facing systems over the internet.
According to Rapid7, this is the most comprehensive and accurate public report covering the real-world internet presence of a national economy to date, providing a clear indication of the resilience against cyber attacks of the top private sector organisations and industries – the UK’s major employers.
This can be used to facilitate more accurate security budget allocation, help target efforts to reduce exposure to the industries that need it most, and enhance cooperative efforts between government and the private sector to better protect users and companies alike, the report said.
The study found that 88% of the UK organisations scanned have weak or non-existent phishing defences, such as implementing the domain-based message authentication, reporting and conformance (Dmarc) protocol in the public email configuration of their primary email domains.
This is the weakest anti-phishing showing of all the Rapid7 industry cyber exposure reports to date, coming in higher than the US-centric Fortune 500 (73%) and the Australasia-centric ASX 200 (78%), although these figures showed that Dmarc needs attention in these regions too.
UK firms lack basic phishing protection
The report noted that most (70%) of the UK firms scanned had not implemented Dmarc, a basic modern protection against phishing, despite the fact that phishing remains one of the most common cyber attack vectors corporations face today and the availability of guidance on how to implement it from the UK’s National Cyber Security Centre (NCSC), which has also championed the use of Dmarc.
Dmarc enables organisations to signal that they are using email authentication to prove emails are not forged, provide an email address to gather feedback about messages using their domain – legitimate or not, and apply a policy to messages that fail authentication.
Properly configured Dmarc records with “quarantine” or “reject” policies applied have active email defence measures in place, but the study found that several UK industry sectors did not have Dmarc configured to “quarantine” or “reject”.
Only three UK industry sectors – technology and telecommunications, materials and mining, and real estate – have instances of organisations that have applied both policies, the study found.
“We need to get to the point that every email administrator sees Dmarc implementation as a basic part of their job”
Tod Beardsley, Rapid7
“Planning and deploying a properly restrictive Dmarc configuration takes time, but it’s a time investment that can vastly improve a company’s internal and external email security posture,” said Tod Beardsley, research director at Rapid7.
“Otherwise it is free – it is just a configuration setting, not a product that anyone is going to sell you, but it is a standard that has been around for around seven years and is the minimum an organisation should be doing to counter phishing, which is the top way attackers are getting into networks,” he told Computer Weekly.
“We need to get to the point that every email administrator sees Dmarc implementation as a basic part of their job, and the failure to use Dmarc is being flagged in a way similar to the Chrome browser’s flagging of websites not using encryption,” said Beardsley.
Third-party web services pose a risk
The second priority for UK organisations after phishing protection, through implementing Dmarc at the very least, said Beardsley, is reducing third-party web exposure.
The internet has become the backbone of international commerce in virtually every industry and locale, but as a result, the report said it was almost impossible to have a website, business process or digital storefront without relying on some outside party.
As a firm’s digital footprint expands, the report said the more the details of these third-party dependencies leak out through necessarily exposed metadata required to keep these services connected and operating smoothly.
As a result, the study found that every organisation in the FTSE 250+ was vulnerable to targeted phishing attacks based on the third-party service metadata they expose in their domain name system (DNS) records.
In addition, the study found every organisation places itself and its website visitors at risk due to reliance on improperly configured third-party web services, with only five primary websites providing even a thin layer of third-party protection through the use of content security policies.
The study found that many organisations across UK industry sectors signal how many and which cloud service providers they use in their DNS metadata, with 114 organisations using between two and seven cloud service providers. “This information can be used to craft highly effective, targeted attacks, among other actions,” the report said.
If organisations begin to stray from established and resilient service providers, the report said they increased their risk of successful phishing and other types of attacks by observant, capable attackers who simply need to make a handful of DNS queries to create a list of targets.
But most DNS “validation” records are required only once, and therefore Rapid7 recommends that they are removed after the initial validation has occurred.
Enterprise systems regularly compromised
A third priority for UK organisations, said Beardsley, is to ensure that they are capable of gathering evidence of system compromise.
The report showed that all UK industry sectors had at least one organisation with malware infections, with administrative and professional organisations showing monthly signs of regular compromise.
Incidents across industries ranged from company resources being co-opted into denial of service (DoS) amplification attacks to signs of EternalBlue-based campaigns similar to WannaCry and NotPetya.
Rapid7 recommends that UK organisations monitor traffic leaving their networks by keeping an eye on Egress filters.
The report noted that while network administrators were accustomed to making sure connectivity is both smooth and uninterrupted and fixing things when connections fail, they should also be concerned with preventing errant and malicious traffic from leaving their domains.
Outbound traffic rules should be regularly audited and tested, both from the datacentre and from deep inside the network to ensure that a misconfiguration does not result in an accidental breach.
Other key findings of the report include that:
Top UK organisations, on average, expose a public attack surface of 35 servers or devices, with some companies exposing more than 1,000 systems/devices. This is a measure of an organisation’s attack surface, with each exposed node representing a potential opportunity for attackers to gain a foothold.
Secure sockets layer (SSL)/transport layer security (TLS) security is not enforced on the primary websites of 19% of top UK organisations. This leaves visitors open to a wide array of common and potentially devastating attacks by adversaries in a position to modify web content as it is being transmitted.
Most organisations in every sector had serious issues with patch/version management of business-critical internet-facing systems.
Each exposed server or device must be properly configured, managed, patched and defended to reduce the risk of a cyber attack, the report said.
“The higher the number of exposed servers or devices, the harder it is to keep on top of managing them all. Typically, this means you need to hire more people and you have to invest more in automation and automation workarounds,” said Beardsley.
“The higher the number of exposed servers or devices, the harder it is to keep on top of managing them all”
Tod Beardsley, Rapid7
Rapid7 recommends that organisations should strive to expose only systems and devices on the internet if they support business processes and must further ensure they have robust asset identification and configuration management processes in place to help avoid these systems becoming enterprise entry points for attackers.
The study found that nearly 17% of top UK organisations do not auto-upgrade HTTP requests to HTTPS (HTTP + SSL/TLS) which leaves visitors wide open to a vast array of man in the middle attacks. The report said this was an “egregious configuration oversight” that all affected UK organisations should strive to remediate as soon as possible.
Keeping internet services configured, patched and running supported versions of operating systems and internet-facing applications can go a long way towards thwarting attackers, the report said, noting that failure to use updated software versions put organisations at greater risk of attack through known vulnerabilities.
However, the study found that most organisations in the FTSE 250+ were running older and often unsupported versions of the three most prolific web servers: Microsoft’s Internet Information Services (IIS), Apache HTTPD and NGINX.
Reduced reliance on Telnet and SMB a step in the right direction
A key positive finding was that severely vulnerable services such as Telnet and Windows SMB (server message block) file-sharing were present in only a few organisations, with most UK industry sectors having only one organisation exposing Telnet or SMB.
The report cited SMB as one of the most dangerous services for a system to expose. Vulnerabilities in the SMB service were at the heart of the WannaCry and NotPetya attacks, which crippled networks and caused significant outages to critical business processes that cost many companies millions of dollars in lost revenue, the report said.
“UK industry really took it on the chin with WannaCry, which was a big deal in the UK specifically. As a result, UK corporates and internet service providers have really gone out of their way to reduce the use of SMB in the past two years,” said Beardsley.
Telnet exposure creates risks similar to SMB exposure. Telnet services have a history of vulnerabilities and exposures that put organisations at risk of credential theft, passive and active eavesdropping, and remote code execution, the report said.
While a total absence of Telnet and SMB on today’s internet would be ideal, the report said the FTSE 250+ has far less SMB/Telnet exposure, both in absolute and relative terms, than the Fortune 500.
Rapid7 recommends the elimination of all public-facing SMB and Telnet. There is no technical or practical justification for running a Telnet service today, the report said. It has been superseded by SSH/TLS, which provides encryption-in-transport and encourages the use of digital certificates when authenticating connections.
The report noted that because the FTSE 250+ organisations typically have substantial resources and access to excellent technical expertise, the findings suggested that the severity of exposure may be greater for the many thousands of organisations smaller than those in the FTSE 250+ group.
“The digital ecosystem could benefit from an ongoing conversation with key stakeholders on the reasons for this continued exposure, along with steps to mitigate the cyber security risks it poses,” the report concluded.
