FTSE 250+ organizations leave an average of 35 servers and devices exposed to the open internet, while 231 have “weak or non-existent” phishing defenses.
According to research by Rapid7, many companies in the FTSE 250+ indicate how many and which cloud service providers they use in their DNS metadata. The research found that 114 organizations use between two and seven cloud service providers.
Tod Beardsley, director of research at Rapid7, told Infosecurity that this is the “best of the best of IT in Britain” and what stood out to him was the number of services exposed, and this was in the 30% range, however some companies expose thousands and others only a few.
He said: “We look at each company and ask how many versions of iOS or NGINX are they running, or how many versions of Apache? Do they standardize on one version, which every company wants to do because it makes things a lot easier with a lot less overheads, or are they running 20 different versions of Apache, which tells me they have a really fragmented asset management processes and are not doing patches, and doing black box stuff .”
One “bright side” that Beardsley pointed out for the UK was fewer SMB servers, with only seven found in total.
Of the average 35 exposed services, Beardsley admitted that if he were managing a company’s IT and only found 35, he would be delighted as “it sounds really good” as when you get to 300-400 it becomes a full time job.
Elsewhere, 19% of the FTSE 250+ organizations are not enforcing SSL/TLS security. Beardsley said that there is a lack of 302 redirects from HTTP to HTTPS, and “a lot of clear text HTTP as the front page” for household brands. He admitted that for a country so determined to get him to accept cookies, this was surprising as it permitted injection attacks as well as Man-in-the-Middle attacks.
Asked if he felt whether this puts the FTSE 250+ in a positive light, Beardsley said that there is work to be done, and while the SMB and Telnet stats are a good thing, Rapid7 is seeing connections from FTSE 250+ companies to its honeypot “as if we are part of the same network so it is accidental self-compromise.”