A new report by Rapid7 has found that companies listed on the ASX 200 have a good security posture, and the attack surface overall is on-par with global counterparts in the FTSE 350 and Fortune 500.
“Whilst there’s still definite room for improvement, the overall security posture of ASX 200 companies have measurably improved since our Industry Cyber-Exposure Report on the ASX 200 in 2021,” says Erick Galinkin, the report’s author and Principal Researcher at Rapid7.
The report examines factors that provide a clear view of how the ‘average’ ASX 200 company looks from the internet, based on data collected in October this year.
Internet-facing attack surface
Overall port counts and high-risk port counts provide insight into how accessible corporate networks are to outsiders.
Web server type and version complexity
Web servers are internet-facing by necessity, and the variety of software types and differing versions between servers offers a proxy for how an organisation manages complexity and patching generally.
Microsoft Exchange patching
Given its popularity as an enterprise email server, this serves as a leading indicator of overall vulnerability management.
Email and Domain safety
Using Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Domain Name Service Security Extensions (DNSSEC) helps mitigate email-based attacks like phishing by flagging illegitimate senders and preventing spoofing.
“The ASX 200 industrial sector leads in their exposure of risky services to the internet,” says Galinkin.
“Also, companies who expose Nginx web servers can do better in managing version dispersion risk by keeping installations up to date.
“Also, Microsoft Exchange remains a popular on-premises email server despite high-impact remote vulnerabilities.”
Attack surface analysis
One metric of concern is which ports are exposed to the internet.
Rapid7 takes this further by focusing on two metrics: how many ports are exposed and how many of these ports are high-risk.
“We define high risk as the ports commonly associated with FTP, SSH, Telnet, SMB, and RDP,” Galinkin notes.
“The RDP and SSH are high risk, with automated attacks targeting these ports a common tactic by bad actors, an issue we reported on in our recent ‘Good Passwords for Bad Bots’ report.
“Although financial services, healthcare, and information technology have a substantial number of ports exposed overall, their relative exposure of risky ports is actually very low.
“By contrast, industrials leap out with an average of 33 exposed high-risk ports per company. This exposure is largely due to the substantial number of exposed SSH ports, combined with being the leading exposer of RDP, with an average of five exposed RDP servers per company.”
Web server support and version complexity
Web server vulnerabilities represent a serious risk for enterprises, potentially having a significant organisational impact.
Rapid7 notes that this means it is crucial to apply patches, with unsupported server versions not receiving these patches and an impacted server remaining vulnerable until the underlying software is upgraded.
“We examined the deployment of supported versions and found that ASX 200 companies favour Apache and Nginx for web servers over IIS, and do so in approximately equal numbers,” Galinkin says.
“But in a more worrisome metric, Nginx beats Apache in the number of unsupported versions deployed on the internet.”
Regarding version dispersion, Rapid7’s latest research finds that trends are stable, but in the version dispersion category, IIS is the leader, with only the communications and energy sectors having an average of one version per company.
When broken down by sectors, financial services and industrials stand out, with most companies in these areas deploying more than one type of server software, as well as multiple versions of each, leading to a more complex deployment of patches for potentially affected systems.
Rapid7 notes that Microsoft Exchange remains a popular on-premises email server, despite containing a range of vulnerabilities.
“The data shows only four of 42 organisations running Microsoft Exchange on premises having applied the most recent, relevant patches,” Galinkin explains.
“However, even in the most critical circumstances large organisations face difficulty patching, with patch deployments often lagging patch releases by 60 days or more.”
Rapid7 also acknowledges a meaningful shift from ASX 200 organisations since 2020, with many of these businesses now having at least a valid, error-free DMARC policy.
In contrast, just nine of the 200 enterprises have put in place DNSSEC, which Rapid7 says is disappointing.
However, it adds that not a single company had implemented DNSSEC in 2020, so the low count is at least a move in the right direction.