According to a new research report by Rapid7, companies listed on the ASX 200 have a respectable security posture, and the attack surface in general is on-par with global counterparts in the FTSE 350 and the Fortune 500.
“Whilst there’s still definite room for improvement, the overall security posture of ASX 200 companies have measurably improved since our Industry Cyber-Exposure Report on the ASX 200 in 2021,” says the report’s author, Erick Galinkin, Principal Researcher, Rapid7.
Based on data collected in October, the report surveys factors that provide a clear picture of what an ‘average’ ASX 200 company looks like from the internet. These include:
- Internet-facing attack surface: Overall port counts and high-risk port counts provide insight into how accessible corporate networks are to outsiders.
- Web server type and version complexity: Web servers by necessity are internet-facing and the variety of software types and differing versions between servers offers a proxy for how an organisation manages complexity and patching generally.
- Microsoft Exchange patching: Given its popularity as an enterprise email server, this serves as a leading indicator of overall vulnerability management.
- Email and Domain safety: The use of Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Domain Name Service Security Extensions
(DNSSEC) helps mitigate email-based attacks like phishing by flagging illegitimate senders and preventing spoofing.
“The ASX 200 industrial sector leads in their exposure of risky services to the internet,” says Galinkin. “Also, companies who expose Nginx web servers can do better in managing version dispersion risk by keeping installations up to date. Also, Microsoft Exchange remains a popular on-premises email server despite high-impact remote vulnerabilities.
Attack Surface Analysis
One metric of concern is which ports are exposed to the internet. Rapid7 considers two metrics: the total number of exposed ports, and the number of exposed high-risk ports.
“We define high risk as the ports commonly associated with FTP, SSH, Telnet, SMB, and RDP. The RDP and SSH are high risk, with automated attacks targeting these ports a common tactic by bad actors, an issue we reported on in our recent ‘Good Passwords for Bad Bots’ report,” adds Galinkin.
“Although financial services, healthcare, and information technology have a substantial number of ports exposed overall, their relative exposure of risky ports is actually very low. By contrast, industrials leap out with an average of 33 exposed high-risk ports per company. This exposure is largely due to the substantial number of exposed SSH ports, combined with being the leading exposer of RDP, with an average of five exposed RDP servers per company.
Web Server Support and Version Complexity
Web server vulnerabilities can have tremendous organisational impact, so applying patches is crucial. Unsupported server versions do not receive these patches and an impacted server remains vulnerable until the underlying software is upgraded.
“We examined the deployment of supported versions and found that ASX 200 companies favor Apache and Nginx for web servers over IIS, and do so in approximately equal numbers. But in a more worrisome metric, Nginx beats Apache in the number of unsupported versions deployed on the internet,” adds Galinkin.
In terms of version dispersion, trends are stable, but in the version dispersion category, IIS is the leader, with only the communications and energy sectors having an average of one version per company. From a sectoral perspective, financial services and industrials stand out with most companies deploying not only more than one type of server software, but multiple versions of each. This leads to significant complexity in deploying patches for potentially affected systems.
Despite a string of vulnerabilities including the ProxyShell vulnerability, Microsoft Exchange remains a popular on-premises email server.
“The data shows only four of 42 organisations running Microsoft Exchange on premises having applied the most recent, relevant patches,” says Galinkin. “However, even in the most critical circumstances large organisations face difficulty patching, with patch deployments often lagging patch releases by 60 days or more.”
There has been a meaningful shift amongst the ASX 200 since 2020, with many organisations now having at least a valid, error-free DMARC policy. By contrast, only nine of the 200 companies have implemented DNSSEC, which is disappointing, but worth noting that in 2020 not a single company had implemented DNSSEC, so this low count is an improvement worth acknowledging.
For a more detailed assessment, the ASX 200 Attack Surface report is available here.