Photo: Hero Images via Getty Images

A Rapid7 audit of the Fortune 500 companies on a variety of security fronts finds that the firms are doing a pretty good job in reducing entry points for hackers, but a lousy job at email security.

The big picture: The key numbers from this study come from two tests. One measured each firm's exposure to the internet by tabulating the number of services an eager hacker might connect to. A second tested adoption of security against sending fraudulent emails in a firm's name.

The bad news: The findings show that 330 out of the Fortune 500 companies do not have computers set up to prevent sending fraudulent emails in a firm's name.

  • Email wasn't designed to check if the email address listed as the sender actually sent the message. For example, a bad guy could send an invoice that looks like an invoice from a company email address even without access to a company email account.
  • There is a free add-on security protocol known as DMARC that checks with a server if an email is authentic and prevents those scams. Only 170 of the Fortune 500 use DMARC and have it configured to prevent fake messages from reaching an inbox.
  • "These are the best resourced companies in the world. They could easily run DMARC," said Tod Beardsley of Rapid7.

The good news: Fortune 500 companies only average around 500 exposed services to the internet. And while 500 may seem like a lot, given the size of the companies, Beardsley says he was expecting more.

  • "500 is lower than I was expecting," he said. "And only each only exposing 5–10 vulnerable services is lower than I was expecting."
  • The vulnerable networking protocol SMB was used to propagate the massive WannaCry malware in 2017.
  • "98% secure is pretty good. Clean up the last 2%, and we could prevent the next WannaCry," said Beardsley.

Go deeper

Updated 41 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Politics: Obama: Trump is "jealous of COVID's media coverage" Axios-Ipsos poll: Federal response has only gotten worse.
  2. Health: Hospitals face a crush — 13 states set single-day case records last week.
  3. Business: Winter threat spurs new surge of startup activity.
  4. Media: Pandemic causes TV providers to lose the most subscribers ever.
  5. States: Nearly two dozen Minnesota cases traced to three Trump campaign events.
  6. World: Putin mandates face masks.

Louisiana braces for 3rd hurricane in 2 months as Tropical Storm Zeta nears

Municipality workers clean the streets of garbage in Playa del Carmen, Mexico, on Tuesday that was left by Zeta, which struck the Yucatan Peninsula as a Category 1 Hurricane a day earlier — causing no major damage to infrastructure. Photo: Medios y Media/Getty Images

Tropical Storm Zeta is expected to strengthen back into a hurricane and bring dangerous storm surge conditions to parts of the northern Gulf Coast on Wednesday, per the National Hurricane Center.

The state of play: Louisiana Gov. John Bel Edwards (D) requested a pre-landfall Federal Declaration of Emergency in a letter to President Trump on Tuesday, ahead of the storm's expected arrival south of New Orleans.

3 hours ago - Technology

Trump's campaign website hacked

A screenshot of the Trump campaign website after it was hacked.

The Trump campaign website briefly went down and its "About" page was modified after hackers attacked the site Tuesday evening.

The big picture: With just seven days before the election, the hackers emulated the FBI and declared on the "About" page that: "this was seized. the world has had enough of the fake-news spreaded [sic] daily by president donald j trump. it is time to allow the world to know truth." Two addresses linked to the cryptocurrency Monero appeared on the site. Trump campaign spokesperson Tim Murtaugh in a statement said no sensitive data had been exposed in the attack.

Go deeper: Twitter hack raises fears of an unstable election