Sign up for our daily briefing

Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Denver news in your inbox

Catch up on the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Des Moines news in your inbox

Catch up on the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Minneapolis-St. Paul news in your inbox

Catch up on the most important stories affecting your hometown with Axios Twin Cities

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tampa Bay news in your inbox

Catch up on the most important stories affecting your hometown with Axios Tampa Bay

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Charlotte news in your inbox

Catch up on the most important stories affecting your hometown with Axios Charlotte

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Photo: Hero Images via Getty Images

A Rapid7 audit of the Fortune 500 companies on a variety of security fronts finds that the firms are doing a pretty good job in reducing entry points for hackers, but a lousy job at email security.

The big picture: The key numbers from this study come from two tests. One measured each firm's exposure to the internet by tabulating the number of services an eager hacker might connect to. A second tested adoption of security against sending fraudulent emails in a firm's name.

The bad news: The findings show that 330 out of the Fortune 500 companies do not have computers set up to prevent sending fraudulent emails in a firm's name.

  • Email wasn't designed to check if the email address listed as the sender actually sent the message. For example, a bad guy could send an invoice that looks like an invoice from a company email address even without access to a company email account.
  • There is a free add-on security protocol known as DMARC that checks with a server if an email is authentic and prevents those scams. Only 170 of the Fortune 500 use DMARC and have it configured to prevent fake messages from reaching an inbox.
  • "These are the best resourced companies in the world. They could easily run DMARC," said Tod Beardsley of Rapid7.

The good news: Fortune 500 companies only average around 500 exposed services to the internet. And while 500 may seem like a lot, given the size of the companies, Beardsley says he was expecting more.

  • "500 is lower than I was expecting," he said. "And only each only exposing 5–10 vulnerable services is lower than I was expecting."
  • The vulnerable networking protocol SMB was used to propagate the massive WannaCry malware in 2017.
  • "98% secure is pretty good. Clean up the last 2%, and we could prevent the next WannaCry," said Beardsley.

Go deeper

Updated 5 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Annelise Capossela/Axios

  1. Health: CDC director defends agency's response to pandemic — CDC warns highly transmissible coronavirus variant could become dominant in U.S. in March.
  2. Politics: Biden readies massive shifts in policy for his first days in office.
  3. Vaccine: Fauci: 100 million doses in 100 days is "absolutely" doable.
  4. Economy: Unemployment filings explode again.
  5. Tech: Kids' screen time sees a big increase.
  6. World: WHO team arrives in China to investigate pandemic origins.
Dave Lawler, author of World
6 hours ago - World

Alexey Navalny detained after landing back in Moscow

Navalny and his wife shortly before he was detained. Photo: Kirill Kudryavtsev/AFP via Getty

Russian opposition leader Alexey Navalny was detained upon his return to Moscow on Sunday, which came five months after he was poisoned with the nerve agent Novichok. He returned despite being warned that he would be arrested.

The latest: Navalny was stopped at a customs checkpoint and led away alone by officers. He appeared to hug his wife goodbye, and his spokesman reports that his lawyer was not allowed to accompany him.

Mike Allen, author of AM
8 hours ago - Politics & Policy

Biden's "overwhelming force" doctrine

President-elect Biden arrives to introduce his science team in Wilmington yesterday. Photo: Kevin Lamarque/Reuters

President-elect Biden has ordered up a shock-and-awe campaign for his first days in office to signal, as dramatically as possible, the radical shift coming to America and global affairs, his advisers tell us. 

The plan, Part 1 ... Biden, as detailed in a "First Ten Days" memo from incoming chief of staff Ron Klain, plans to unleash executive orders, federal powers and speeches to shift to a stark, national plan for "100 million shots" in three months.