Dec 11, 2018

Fortune 500 cybersecurity is better and worse than you'd think

Photo: Hero Images via Getty Images

A Rapid7 audit of the Fortune 500 companies on a variety of security fronts finds that the firms are doing a pretty good job in reducing entry points for hackers, but a lousy job at email security.

The big picture: The key numbers from this study come from two tests. One measured each firm's exposure to the internet by tabulating the number of services an eager hacker might connect to. A second tested adoption of security against sending fraudulent emails in a firm's name.

The bad news: The findings show that 330 out of the Fortune 500 companies do not have computers set up to prevent sending fraudulent emails in a firm's name.

  • Email wasn't designed to check if the email address listed as the sender actually sent the message. For example, a bad guy could send an invoice that looks like an invoice from a company email address even without access to a company email account.
  • There is a free add-on security protocol known as DMARC that checks with a server if an email is authentic and prevents those scams. Only 170 of the Fortune 500 use DMARC and have it configured to prevent fake messages from reaching an inbox.
  • "These are the best resourced companies in the world. They could easily run DMARC," said Tod Beardsley of Rapid7.

The good news: Fortune 500 companies only average around 500 exposed services to the internet. And while 500 may seem like a lot, given the size of the companies, Beardsley says he was expecting more.

  • "500 is lower than I was expecting," he said. "And only each only exposing 5–10 vulnerable services is lower than I was expecting."
  • The vulnerable networking protocol SMB was used to propagate the massive WannaCry malware in 2017.
  • "98% secure is pretty good. Clean up the last 2%, and we could prevent the next WannaCry," said Beardsley.
Go deeper