Rapid7 Cyber-Exposure Report: Fortune 500
December 2018 by Rapid 7
Rapid7 have announced findings of a report examining the cyber threats facing the top 500 companies (Fortune 500). Security researchers analysed the vulnerabilities in the publicly accessible configuration of Internet-facing services and metadata for 453 Fortune companies, evaluating:
● Overall attack surface (the number of exposed servers/devices);
● Presence of dangerous or insecure services;
● Phishing defence posture;
● Evidence of system compromise;
● Weak public service and metadata configurations; and
● Joint third-party website dependency risks.
The researchers found numerous vulnerabilities: structural weaknesses in phishing defences, exposure to insecure and outdated protocols on the Internet, and evidence of compromising activity.
Some Key findings include:
● Fortune 500-member organisations, on average, expose a public attack surface of 500 servers/devices, with many companies exposing 2,500 or more systems/devices.
● Of the appraised Fortune 500 organisations, 330 have weak or non-existent anti-phishing defences (i.e., DMARC) in the public email configuration of their primary email domains.
The details behind these findings are presented in the remainder of the report. The discovery of such widespread weaknesses in the exposed services of these leading organisations makes it likely that there is even greater exposure and risk in smaller organisations with fewer staff and financial resources available for securing their public internet resources.