ASX 200 firms have major security holes
- 12 March, 2019 16:00
Even the most mature and well-resourced ASX 200 companies are having trouble sufficiently deploying cyber security basics, according to a new report.
In its latest Industry Cyber Exposure Report, Rapid7 found that, on average, ASX 200 companies expose a public attack surface of 29 servers or devices with many exposing 200 or more. It also discovered that 67 per cent of these organisations have weak or non-existent anti-phishing email defences.
Most ASX 200 companies in every sector also had serious issues with patch and version management of business-critical internet facing systems. These companies are running old and often unsupported versions of the three most prolific web servers – Microsoft’s Internet Information Services (ISS), Apache HTTPD, and nginx.
Further, all industry sectors had at least one organisation that had been infected with malware. These compromises ranged from company resources being co-opted into denial of service amplification attacks to signs of EternalBlue-based campaigns similar to WannaCry and NotPetya.
Finally, most organisations use between three and five cloud service providers and some are using 10 or more. This information can be used by threat actors to craft highly effective and targeted attacks.
“The report demonstrates that even the most talented, best-resourced IT departments in Australia and New Zealand still face daily challenges in keeping their internet-facing assets up-to-date with supported version of business-critical software and keeping up-to-date with the latest patches," Tony Beardsley, research director at Rapid7 said in a statement.
Rapid7 measured the internet-facing security profiles of the ASX 200 during the fourth quarter of 2018 by examining the number of exposed servers and devices; the presence of dangerous or insecure services; phishing defence posture; weak public service and metadata configurations; and joint third-party website dependency risks.
Beardsley said that having an accurate view of the resiliency of organisations and industry sectors to withstand cyberattacks can focus efforts to reduce and manage exposure.
“Measurement of industry-level exposure can also inform industry-specific sectors that share cybersecurity information and threat intelligence. Business leaders that have an ongoing dialogue with their industry peers about cyber-exposure can be broadly beneficial to the digital ecosystem,” said Beardsley.
Follow Byron Connolly on Twitter: @ByronConnolly