Andrea Danti - Fotolia
Millions of IT systems on the internet offer services that should not be exposed to the public network, a study by security firm Rapid7 has revealed.
The study uncovered 15 million nodes offering Telnet, 11.2 million nodes offering direct access to relational databases, and 4.5 million printer services, according to a report released at Infosecurity Europe 2016 in London.
The scan of 30 of the most prevalent services across the internet showed that 4.7 million systems expose port 445, which is one of the most commonly attacked ports used by Microsoft systems.
The study measured the prevalence of cleartext, unencrypted services on the internet and their encrypted counterparts, by country, and used this ratio to generate an overall National Exposure Index score.
It found the most exposed nations on the internet today include countries with the largest GDPs, such as the US, China, France and Russia.
Belgium was found to be the most exposed country, but researchers said the reason for that was not yet clear. The US was ranked at number 14, while the UK came in at 23.
“This is a foundational paper, intended to educate readers about the core principles on which internet-based services operate,” said Tod Beardsley, security research manager at Rapid7.
“It is aimed at decision makers, policy makers and chief information security officers, which is why there is a lot of explanation in the report of how things work. We are releasing all the data behind the report, so it is also aimed at researchers and data scientists,” he told Computer Weekly.
Encryption is essential
The report catalogues, for the first time, what is going on in the internet, providing the first service-level audit in an attempt to counteract the high level of port scanning being carried out by cyber criminals.
“We wanted to look at all the cleartext services versus their encrypted counterparts to see how that deployment is coming along, because encryption is important for properly securing the internet,” said Beardsley.
According to the report, fully encrypted communication is important for overall internet safety, usability and sustainability.
“Today’s internet touches virtually everyone’s lives and is a critical component of economic security. Counter-intuitively, the adoption of fully encrypted protocols for core internet services has not scaled with our personal, national and global dependence on the internet,” the report said.
Beardsley said most people treat the internet as if it were a secure, safe and stable machine, while in reality is it not engineered that way.
“In a way, the internet is not really engineered at all. It has grown and developed organically, and uses millions of insecure protocols like Telnet and FTP [file transfer protocol], which is not appropriate for the way we use the internet today. It’s 2016, but the internet still looks a lot like it did in 1996, just bigger,” he said.
That is despite the fact that there are enormous security and functionality advantages to having encrypted services, he said, especially authentication that enables internet users to be certain about who they are talking to.
Read more about internet security
- International norms of behaviour should prohibit states from conducting cyber intellectual property theft, says Australian prime minister Malcolm Turnbull.
- Internet pioneer Paul Vixie spoke with SearchSecurity about IPv6 NAT, IPv6 and the internet of things, and the long, thankless path to deploying IPv6.
- Security flaws exposed on internet-connected baby monitors indicate the poor state of consumer IoT security that businesses should not ignore, warns Rapid7.
For example, the report shows that FTP, which dates from the very start of the internet and is rarely encrypted, is still the fourth most popular protocol, with 20 million FTP services being used to transport things like software security updates, customer data and even patient data.
“People tend to just use the internet and all they care about is that it works. But this study shows that we need to be a little bit more thoughtful, at least on a national and international level, about where we want the internet to go, because we are treating it as if were engineered one way, while it is actually built in an entirely different way,” said Beardsley.
Businesses should check their own networks, he said, because many of these ports are exposed unintentionally, and unbeknownst to the organisations concerned, by third-party contractors who set up the infrastructure.
“We also want to spark conversations about the whole notion of exposure, and raise awareness about things like the fact that one machine with five to seven services on it creates a whole lot more exposure or greater attack surface than having one to two services per machine,” said Beardsley.
“We would also like researchers and manufacturers to look at our data, which has been lacking until now, to see what they can come up with to help fill in the gaps, and to consider the advantages of encryption, which should now be the default,” he said.
According to Beardsley, there is an urgent need for the same kind of effort that went into averting the Y2K crisis to go into averting a crisis around insecure connections on the internet.
“Failure to do the hard work now will result in a crisis due to the mass deployment of unencrypted services,” he said.
Beardsley said individual businesses need to look at what they are doing on the internet, identify the most critical services, and then do whatever is necessary to keep these secure and prevent them from going down.