Dec 11, 2018

Fortune 500 cybersecurity is better and worse than you'd think

Photo: Hero Images via Getty Images

A Rapid7 audit of the Fortune 500 companies on a variety of security fronts finds that the firms are doing a pretty good job in reducing entry points for hackers, but a lousy job at email security.

The big picture: The key numbers from this study come from two tests. One measured each firm's exposure to the internet by tabulating the number of services an eager hacker might connect to. A second tested adoption of security against sending fraudulent emails in a firm's name.

The bad news: The findings show that 330 out of the Fortune 500 companies do not have computers set up to prevent sending fraudulent emails in a firm's name.

  • Email wasn't designed to check if the email address listed as the sender actually sent the message. For example, a bad guy could send an invoice that looks like an invoice from a company email address even without access to a company email account.
  • There is a free add-on security protocol known as DMARC that checks with a server if an email is authentic and prevents those scams. Only 170 of the Fortune 500 use DMARC and have it configured to prevent fake messages from reaching an inbox.
  • "These are the best resourced companies in the world. They could easily run DMARC," said Tod Beardsley of Rapid7.

The good news: Fortune 500 companies only average around 500 exposed services to the internet. And while 500 may seem like a lot, given the size of the companies, Beardsley says he was expecting more.

  • "500 is lower than I was expecting," he said. "And only each only exposing 5–10 vulnerable services is lower than I was expecting."
  • The vulnerable networking protocol SMB was used to propagate the massive WannaCry malware in 2017.
  • "98% secure is pretty good. Clean up the last 2%, and we could prevent the next WannaCry," said Beardsley.

Go deeper

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 3 p.m. ET: 766,336 — Total deaths: 36,873 — Total recoveries: 160,001.
  2. U.S.: Leads the world in confirmed cases. Total confirmed cases as of 3 p.m. ET: 153,246 — Total deaths: 2,828 — Total recoveries: 5,545.
  3. Federal government latest: The White House will extend its social distancing guidelines until April 30 — Rep. Nydia Velázquez diagnosed with "presumed" coronavirus infection.
  4. State updates: Virginia and Maryland issued stay-at-home orders to residents, joining 28 other states — Florida megachurch pastor arrested for refusing to call off mass services.
  5. World updates: Italy reports 1,590 recoveries from the virus, its highest ever.
  6. In photos: Navy hospital ship arrives in Manhattan
  7. What should I do? Answers about the virus from Axios expertsWhat to know about social distancingQ&A: Minimizing your coronavirus risk
  8. Other resources: CDC on how to avoid the virus, what to do if you get it.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

Cuomo: Engaging in politics during coronavirus crisis is "anti-American"

New York Gov. Andrew Cuomo said during a Monday press briefing that he won't get into a political tussle with President Trump — calling it "counterproductive" and "anti-American" — as his state deals with the most confirmed coronavirus cases in the country.

The backdrop: Trump said during an appearance on "Fox & Friends" earlier Monday that Cuomo has received high polling numbers during the outbreak because New York has received federal aid.

Maryland and Virginia issue coronavirus stay-at-home orders

Data: Axios reporting; Map: Danielle Alberti/Axios

Maryland Gov. Larry Hogan and Virginia Gov. Ralph Northam issued stay-at-home orders on Monday, with exceptions for residents engaged in essential services, including health care and government functions.

The big picture: The states are the latest to announce policies to enforce social distancing, which have affected almost 250 million Americans. More than 1.5 billion people worldwide had been asked to stay home as of last week.

Go deeperArrowUpdated 3 hours ago - Health