Takeaways for Reducing Cyber-Exposure in 2019: Lessons Learned from the Fortune 500

Recently, we released our Industry Cyber-Exposure Report that focuses on the various exposures of the Fortune 500. Today, we're going to talk about some key learnings from that report as it pertains to our vulnerability management programs.

The first key takeaway is SMB continues to be highly exposed to the publicly-facing internet, especially in these Fortune 500 companies. SMB is one of the most dangerous services that we can have facing towards the public internet. 15 out of 21 of the sectors that were surveyed in this report have at least one of their members exposing SMB. And once one of those members were found, on average, they had at least 10 nodes per organization. SMB is a real problem mostly because of its track record. We have old faithful, MS08-067, which continues to wreak havoc on networks the world over, and some new problems like EternalBlue, and WannaCry, and NotPetya that came from that. The report goes on to say there is no safe way to expose SMB services to the public internet, so with that, we need to make sure that we're locking that down.

The next key takeaway from that report was that of Telnet. Telnet is fairly old protocol at this point, a clear text protocol, that is used to log directly into servers and network equipment. It allows us to issue commands and runs scripts directly at the OS level of the device. Telnet also has a bad track record and that's a problem, but the even bigger problem with Telnet is simply that it's a clear text protocol. Because this transactions are happening in clear text over the public internet, it's easy for attackers to steal passwords, read the data being transferred, and then reuse that stolen data and credentials for further action later on. The report goes on: "There is no technical or practical justification for a Telnet service today, especially since it's been superseded by SSH."

With that, we come into the value of a vulnerability management program. When we have these discussions about risk that services like SMB or Telnet, when exposed, can bring to our organization along with other vulnerabilities, we better understand the reason for a rock solid vulnerability management program. So, let's walk through that very quickly.

The first step of an effective vulnerability management program is to collect all the data from across your entire environment: your on-premises assets, your clouds, your assets in the cloud, your remote assets. Understand everything that you have, where it is, what services it's running, and what potential software vulnerabilities it may have.

Now, once you have that large collection of information, you need to prioritize. The hard truth is there will always be more work that needs to be done than you will ever be able to do, so you have to pick your battles. You have to pick the items that you're going to work on based on what attackers are most likely to take advantage of. And today, as informed by this cybersecurity industry report, we would like to propose that looking for SMB and Telnet facing towards the public internet is definitely some good things to focus on when you're doing this prioritization process.

And then, finally, after you've prioritized what you're going to do with your limited resources and time, you'd have to do the hard work of remediation. This process of installing patches to fix software vulnerabilities, or implementing compensating controls to isolate assets from potential attack is the key to making meaningful progress forward so that we can start to decrease some of the exposure that we saw in this recent report.

We hope that this has been helpful and can provide some context for you in your vulnerability management program. If you'd like to know more about this report, which has a lot more than just the icing on the cake that we covered today, you can head over to rapid7.com/ICER.

That's it for this week's Whiteboard Wednesday. We'll see you next time.