Overall, unencrypted, cleartext protocols are still the rule on how information flows around the world.
APAC countries like China, South Korea, Japan, Taiwan, Australia, and Hong Kong are among the countries with the most exposed dangerous protocols on the Internet, according to security analytics and automation company, Rapid7’s recently released National/Industry/Cloud Exposure Report (NICER) for 2020.
The report examines the changing internet risk landscape, measuring the prevalence and geographic distribution of common cyber security exposures with findings broken down by country, industry sector and internet protocol.
NICER 2020 focuses on the risks and multinational prevalence of protocols that are inherently flawed or too dangerous to expose to the Internet – such as FTP, Telnet, SMB, and open, insecure databases.
A technical assessment of the 24 service protocols surveyed finds that, overall, unencrypted, cleartext protocols are still the rule on how information flows around the world.
There are 42 per cent more plaintext HTTP Web servers than encrypted HTTPS servers, three million databases awaiting insecure queries, and 2.9 million routers, switches and servers accepting Telnet connections.
NICER 2020 also found the top publicly traded companies in advanced economies including Australia are hosting a surprisingly high number of unpatched services with known vulnerabilities, especially in financial services and telecommunications.
There are tens of thousands of high-rated CVEs (Common Vulnerabilities and Exposures) across the public-facing assets of these two sectors. Despite their vast collective reservoirs of wealth and expertise, this level of vulnerability exposure is unlikely to get better in a time of global recession.
The report analyses the exposure of companies listed on the ASX 200 in Australia, the Deutsche Börse Prime Standard 320, the Nikkei 225 in Japan, the UK FTSE 250+ and the US Fortune 500, giving each industry sector a grade of A, B, C or D. Industries graded D include Technology, Telecommunications, Financial Services, Healthcare, Pharma, Engineering, Construction, Industrials, Materials and Mining. Companies in these sectors correspond with the majority of breach and ransomware headlines in the last 12 months.
One positive finding is that the population of insecure services has gone down over the past year, with an average 13 per cent decrease in exposed, dangerous services such as those based on the SMB and rsync file sharing protocols, and the Telnet remote computer access protocol. At the same time, more secure alternatives to insecure protocols, like SSH (Secure Shell) and DoT (DNS-over-TLS) increased overall.
These findings contradict the doom-and-gloom predictions by many commentators that there would be a jump of newly exposed insecure services such as Telnet and SMB with the sudden shift to work-at-home for millions of people and the continued rise of Internet of Things (IoT) devices crowding residential networks.
Australia also made significant strides in reducing its exposure in the last year. The exposure of plaintext FTP (file transfer protocol) services across the country, for example, was reduced by 56 per cent in 2020 compared with the same period in 2019. This was one of the biggest improvements globally. SMB (Server Message Block, Microsoft Windows’ multi-purpose protocol used for file transfers) exposure in Australia was already fairly small in 2019 (just over 5000 servers exposed) and that footprint was further reduced to 4515 in 2020.
There is still considerable room for improvement, however. NICER 2020 finds there are still almost 40,000 systems exposing Microsoft Remote Desktop (RDP) and 4800 exposing Virtual Network Computer (VNC) remote access services in Australia. This puts organisations at risk of credential stuffing, brute force and exploit-based cyber-attacks.
Australia is also fourth in the world with over 3000 exposed Citrix ADC/Netscaler services used to provide remote access to applications and/or desktop environments. Worryingly, Rapid7’s version fingerprinting technique shows that only 73 per cent of internet-facing Citrix systems have the latest patches or mitigations in place, with the remaining 27 per cent either being vulnerable or woefully outdated.
Globally, patch and update adoption continue to be slow for a wide range of internet services, even for modern services with reports of active exploitation. This is particularly true in the areas of email handling and remote access where, for example, 3.6 million SSH servers are sporting versions between five and 14 years old.
“Cyber attackers now targeting the human factor as well”
“Organisations in Australia have actually improved the security of internet services in the last year,” said Neil Campbell vice president APJ for Rapid7. “Unfortunately, cyber attackers have seen that and are now targeting the human factor as well. In addition to upgrading insecure services and patching systems, there are some fundamental human behaviours that must be addressed. The only way to do that is through cyber awareness training.”
Campbell also sounded a warning about VPN concentrators and remote access services which many organisations have become more reliant on since coronavirus. “These have become the new Adobe Reader, which was a go-to attack vector at the height of its popularity and often went unpatched,” he said. “Even where the services are encrypted, the risk of remote code execution vulnerabilities or credential stuffing attacks means they are only really safe when patches are up to date and multi-factor authentication is used.”