Rapid7, a leading provider of security analytics and automation solutions, has released its National/Industry/Cloud Exposure Report (NICER) for 2020. The most comprehensive census of the modern internet, NICER 2020 analyses the changing internet risk landscape, measuring the prevalence and geographic distribution of common cybersecurity exposures with findings broken down by country, industry sector and internet protocol.
NICER 2020 focuses on the risks and multinational prevalence of protocols that are inherently flawed or too dangerous to expose to the internet – such as FTP, Telnet, SMB and open, insecure databases. Based on this, it ranks Australia as the 14th most exposed country in the world. The US is the most exposed country, followed by China, South Korea, UK, Germany, Brazil, Russia, Japan, Canada, Iran, Italy, Argentina, Taiwan, Australia, Spain, France, India, Turkey, Hong Kong and Mexico.
A technical assessment of the 24 service protocols surveyed finds that, on the whole, unencrypted, cleartext protocols are still the rule on how information flows around the world. There are 42% more plaintext HTTP Web servers than encrypted HTTPS servers, three million databases awaiting insecure queries, and 2.9 million routers, switches and servers accepting Telnet connections.
Financial services and telecommunications remain exposed
NICER 2020 finds that the top publicly traded companies in advanced economies including Australia are hosting a surprisingly high number of unpatched services with known vulnerabilities, especially in financial services and telecommunications. There are tens of thousands of high-rated CVEs (Common Vulnerabilities and Exposures) across the public-facing assets of these two sectors. Despite their vast collective reservoirs of wealth and expertise, this level of vulnerability exposure is unlikely to get better in a time of global recession.
The report analyses the exposure of companies listed on the ASX 200 in Australia, the Deutsche Börse Prime Standard 320, the Nikkei 225 in Japan, the UK FTSE 250+ and the US Fortune 500, giving each industry sector a grade of A, B, C or D. Industries graded D include Technology, Telecommunications, Financial Services, Healthcare, Pharma, Engineering, Construction, Industrials, Materials and Mining. Companies in these sectors correspond with the majority of breach and ransomware headlines in the last 12 months.
Surprisingly, internet exposure has gotten somewhat better, not worse
One positive finding is that the population of insecure services has gone down over the past year, with an average 13% decrease in exposed, dangerous services such as those based on the SMB and rsync file sharing protocols, and the Telnet remote computer access protocol. At the same time, more secure alternatives to insecure protocols, like SSH (Secure Shell) and DoT (DNS-over-TLS) increased overall.
These findings contradict the doom-and-gloom predictions by many commentators that there would be a jump of newly exposed insecure services such as Telnet and SMB with the sudden shift to work-at-home for millions of people and the continued rise of Internet of Things (IoT) devices crowding residential networks.
Australia also made significant strides in reducing its exposure in the last year. The exposure of plaintext FTP (file transfer protocol) services across the country, for example, was reduced by 56% in 2020 compared with the same period in 2019. This was one of the biggest improvements globally. SMB (Server Message Block, Microsoft Windows’ multi-purpose protocol used for file transfers) exposure in Australia was already fairly small in 2019 (just over 5000 servers exposed) and that footprint was further reduced to 4515 in 2020.
Australia exposed to attacks on remote access services
There is still considerable room for improvement, however. NICER 2020 finds there are still almost 40,000 systems exposing Microsoft Remote Desktop (RDP) and 4800 exposing Virtual Network Computer (VNC) remote access services in Australia. This puts organisations at risk of credential stuffing, brute force and exploit-based cyber attacks.
Australia is also fourth in the world with over 3000 exposed Citrix ADC/Netscaler services used to provide remote access to applications and/or desktop environments. Worryingly, Rapid7’s version fingerprinting technique shows that only 73% of internet-facing Citrix systems have the latest patches or mitigations in place, with the remaining 27% either being vulnerable or woefully outdated.
Globally, patch and update adoption continues to be slow for a wide range of internet services, even for modern services with reports of active exploitation. This is particularly true in the areas of email handling and remote access where, for example, 3.6 million SSH servers are sporting versions between five and 14 years old.
“Cyber attackers now targeting the human factor as well”
“Organisations in Australia have actually improved the security of internet services in the last year,” said Neil Campbell, Vice President APJ for Rapid7, commenting on the research. “Unfortunately, cyber attackers have seen that and are now targeting the human factor as well. In addition to upgrading insecure services and patching systems, there are some fundamental human behaviours that have to be addressed. The only way to do that is through cyber awareness training.”
Campbell also sounded a warning about VPN concentrators and remote access services which many organisations have become more reliant on since coronavirus. “These have become the new Adobe Reader, which was a go-to attack vector at the height of its popularity and often went unpatched,” he said. “Even where the services are encrypted, the risk of remote code execution vulnerabilities or credential stuffing attacks means they are only really safe when patches are up to date and multi-factor authentication is used.”
To view a copy of the full report, please visit.
For an infographic explaining key results, please visit.
Rapid7 (Nasdaq: RPD) is advancing security with visibility, analytics and automation delivered through our Insight cloud. Our solutions simplify the complex, allowing security
teams to work more effectively with IT and development to reduce vulnerabilities, monitor for malicious behaviour, investigate and shut down attacks, and automate routine tasks. Over 8,500 customers rely on Rapid7 technology, services, and research to improve security outcomes and securely advance their organisations.