Today, Rapid7 just released the first in our all-new Industry Cyber-Exposure Report (ICER) series. For those of you who have been following our research over the past few years, you may immediately suspect us of unloading another 100+ page tome of internet-based findings around the internet—but not so fast! We've slimmed down our research and reporting style, and this new series focuses on five areas we believe that CISOs at mega-corporations actually have a shot at accomplishing, /and/ will have a practical and fairly immediate effect on a given company's internet security posture. Those are:
- Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) to shore up email security, both internally and externally.
- Enforcing HTTPS (secure HTTP) and HSTS (HTTP Strict Transport Security) in order to protect their brand reputation and their customers' personal information.
- Hitting a happily low count of unique versions for major internet-facing software applications like web servers and email servers.
- Shutting off dangerous and inappropriate services that really have no business being exposed on the internet in the first place.
- Kicking off a vulnerability disclosure program (VDP) that helps you learn about the security issues in your products and infrastructure before you run into real problems with malicious attackers.
The paper itself focuses on how well a specific cohort of companies are doing in these areas—this time, it's the Fortune 500, which are widely considered to be the most successful of large companies headquartered in the United States. We cut the data by industry, so we can stack up how financials are doing compared to the technology sector, where manufacturing and healthcare look pretty much the same, and plenty of other insights into how the companies and brands that permeate our lives are doing in terms of internet risk and threat exposure.
Our research efforts are powered primarily through Project Sonar and our open source project, Recog, and of course, our stellar research team: Bob Rudis, Curt Barnard, Kwan Lin, Tom Sellers, and me, Tod Beardsley. If you're interested in a more interactive version of this paper, feel free to join us at our webcast on April 20, where Bob and I will talk through the findings and take questions throughout.