As the world's knowledge workers were driven home amid a pandemic and cases of ransomware ran rampant across the internet, measuring the world's most critical businesses’ internet exposure is more important than ever. In this round of Internet Cyber-Exposure Reports (ICERs), researchers at Rapid7 evaluate 5 areas of cybersecurity that are both critical to secure to continue doing business on and across the internet, and are squarely in the power of CISOs, their IT security staffs, and their internal business partners to address.
These 5 facets of internet-facing cyber-exposure and risk include:
- Authenticated email origination and handling (DMARC)
- Encryption standards for public web applications (HTTPS and HSTS)
- Version management for web servers and email servers (focusing on IIS, Nginx, Apache, and Exchange)
- Risky protocols unsuitable for the internet (RDP, SMB, and Telnet)
- The proliferation of vulnerability disclosure programs (VDPs)
In this report, we examine the internet-facing cyber-exposure of the top companies listed on Germany's Deutsche Börse Prime Standard1 (hereafter referred to as the DB 314). Each section is accompanied by real-world, practical advice that practitioners can start implementing today. Note that this advice is not only for those CISOs who are privileged to hold positions in Deutsche Börse Prime Standard companies, but also for those security experts who find themselves in business and regulatory relationships with members of this prestigious collection of corporations.
Through the first half of 2021, Rapid7 will be releasing reports measuring these 5 critical areas of cybersecurity fundamentals across 5 of the most advanced economies of the world:
- The United States Fortune 5002
- The United Kingdom's FTSE 3503
- Australia's ASX 2004
- Germany's Deutsche Börse Prime Standard 314 (this report)
- Japan's Nikkei 225
The paper is divided into 5 detailed sections covering the areas mentioned above, and the overall takeaways of this research are as follows:
- DB 314 email security posture is lagging behind the US and UK. At the beginning of 2021, email security among the DB 314 isn't keeping pace with its peers in the US and UK. While DMARC adoption in the US and UK hovers around 50%, only about 39% of all the surveyed companies operating in Germany have any DMARC records configured; of those, about two thirds are set with a p=none (or passthrough) policy. In other words, only about 13% of DB 314 listed companies are taking active measures to protect their brands, employees, and customers through DMARC p=quarantine or p=reject policies.
- Exposed, dangerous services are less of a concern in Germany. While dangerous protocol exposures of Windows Remote Desktop (RDP) file-sharing (SMB), and Telnet continue to be an issue across the surveyed companies, it does not appear to be nearly as much of a problem as we've seen among the U.S.-based Fortune 500: For any of the 3 protocols surveyed, almost 90% of the DB 314 had no exposure involving RDP, SMB, or Telnet. Additionally, when we looked at secure HTTP (HTTPS) deployment, we found that HTTPS is standard for 99.6% DB 314 companies (we'll be reaching out to that one lone HTTP holdout).
- Version dispersion remains a problem. Of the surveyed companies that are still running their own on-premises Microsoft Exchange servers for messaging, only about 20% are running the most current supported version, and another 20% are running versions from 2010 that are now end-of-life. Additionally, we found no less than 13 different versions of Microsoft IIS for web services, as well as a whopping 89 distinct versions of Nginx, the most popular web server on Earth. These distinct version counts are higher than any regional group of companies we've studied so far.
- The German Automotive sector stands out when it comes to vulnerability disclosure. While VDP adoption continues to have slow uptake in the DB 314 with only 34 companies advertising some mechanism to report vulnerabilities in products or infrastructure, the automotive industry has a higher-than-average commitment to VDP: 6 out of the 18 Automotive sector companies have a VDP.
With these key findings in mind, the remainder of this report explores each of the 5 areas of cybersecurity measurable in the DB 314.
Before you dive in, we wanted to note that if your organisation was and/or still is impacted by those events, you may be feeling like you are spending most of your time and energy dealing with emergencies rather than being able to focus on some of the more chronic issues outlined in this report. Since our goal is to help organisations become (and remain) safe and resilient, we have a dedicated appendix you may want to jump to first before tackling the sections below.