Today, Rapid7 released our fourth Industry Cyber-Exposure Report (ICER) examining the overall exposure of the companies listed in the Nikkei 225 index. The Nikkei 225 is a selection of Japanese common stocks, drawn from the First Section of the Tokyo Stock Exchange maintained by The Nikkei newspaper. All of the companies in the Nikkei 225 are headquartered in Japan, and, similar to the Dow Jones Industrial Index in the United States, it is an index intended to represent the industrial and corporate base of the Japanese economy. Because of this, we believe that the companies listed in the Nikkei 225 create a reasonable list of the largest, best-run, and most culturally significant companies in the Japanese economy.
The report reveals that even among very large, mature, and well-resourced organizations, we see evidence of cybersecurity basics being missed or deployed insufficiently. This hints at the complexity and breadth required for a comprehensive security program, which is a never-ending challenge in which there is always more that can be done, constrained by limited resources and time, regardless of the size of the organization. If this challenge cannot be comprehensively met by these very large, high-revenue organizations, just imagine how much worse it is for smaller organizations with far fewer resources to apply to security.
Sure, you might think smaller organizations are less likely to be targeted by attackers, but that’s probably not significantly the case. For one thing, everyone is a target for so-called untargeted “drive-by” attacks or internet-wide malware infections, such as NotPetya, now officially deemed the most costly cyberattack of all time.
In addition, many small- to medium-size businesses represent a very tasty target for attackers due to their intellectual property (for example, startups with cool new technology or techniques), relationship with their customers (for example, the HVAC vendor that had access to Target’s corporate network), or involvement in processing sensitive or financial data (for example, the many law firms that handle complex mergers and acquisitions between much larger companies).
The report highlights how difficult it is for all organizations to adequately and comprehensively address cybersecurity, and the need for greater awareness of challenges and support from business leaders.
The key findings of the research report include the following:
- Nikkei 225 organizations, on average, expose a public attack surface of 107 servers/devices, with many companies exposing over 750 systems/devices.
- Of the appraised Nikkei 225 organizations, 196 (87%) have weak or nonexistent anti-phishing defenses (i.e., DMARC) in the public email configuration of their primary email domains, with 13 (6%) having malformed records. This is the weakest anti-phishing showing of all the Rapid7 Industry Cyber-Exposure Reports (ICERs) to date.
- SSL/TLS security is not enforced on the primary websites of 18% of Nikkei 225 organizations. This leaves visitors open to a wide array of common and potentially devastating attacks by adversaries in a position to modify web content as it is being transmitted.
- All industry sectors had at least one organization with malware infections, with Technology and Consumer Goods organizations showing monthly signs of regular compromise. Incidents across industries ranged from company resources being co-opted into denial-of-service (DoS) amplification attacks to signs of EternalBlue-based campaigns similar to WannaCry and NotPetya.
- Organizations across industry sectors in the Nikkei 225 signal how many and which cloud service providers they use in their public domain name system (DNS) metadata, with 46 organizations using between two and five cloud service providers. This information can be used to craft highly effective, targeted attacks, among other actions.
- Severely vulnerable services such as Telnet and Windows SMB file-sharing were exposed in only a few organizations, which is positive. However, most organizations in every sector also expose web services that rely on seriously outdated software on their internet-facing systems
Have a gander!
We’re excited to present another industry-centric view of exposure and continue to set our sights on other major indices of companies around the world to paint a more complete global, industry-centric picture of exposure. If you have a professional or personal interest in how Japanese companies handle their internet exposure, take a moment to grab the free report. Reading through it, you will learn:
- The average cyber-exposure of the Nikkei 225, and how this statistic relates to baseline attack surface
- Which industries are unwittingly spreading malicious traffic such as EternalBlue-based exploits and distributed denial-of-service (DDoS) amplification attacks
- The exposure inherent in relying on third-party, cloud-based services
- How far along Japanese companies are when it comes to DMARC-based anti-spoofing