Today, Rapid7 released our fifth Industry Cyber-Exposure Report (ICER) examining the overall exposure of the companies listed in the Deutsche Börse Prime Standard index. The 320 companies surveyed is a selection of some of the largest companies in Germany, maintained by Deutsche Börse Group. Most of the companies in the Prime Standard are headquartered in Germany, with a few companies headquartered in other European countries but with major operations in Germany, and these companies represent the industrial and corporate base of the German economy. Because of this, we believe that the companies listed in the Prime Standard create a reasonable list of the largest, best-run, and most culturally significant companies in the German economy.
The report reveals that even among very large, mature, and well-resourced organizations, we see evidence of cybersecurity basics being missed or deployed insufficiently. This hints at the complexity and breadth required for a comprehensive security program, which is a never-ending challenge in which there is always more that can be done, constrained by limited resources and time, regardless of the size of the organization. If this challenge cannot be comprehensively met by these very large, high-revenue organizations, just imagine how much worse it is for smaller organizations with far fewer resources to apply to security.
Sure, you might think smaller organizations are less likely to be targeted by attackers, but that’s probably not significantly the case. For one thing, everyone is a target for so-called untargeted “drive-by” attacks or internet-wide malware infections, such as NotPetya, now officially deemed the most costly cyberattack of all time.
In addition, many small- to medium-size businesses represent a very tasty target for attackers due to their intellectual property (for example, startups with cool new technology or techniques), relationship with their customers (for example, the HVAC vendor that had access to Target’s corporate network), or involvement in processing sensitive or financial data (for example, the many law firms that handle complex mergers and acquisitions between much larger companies).
The report highlights how difficult it is for all organizations to adequately and comprehensively address cybersecurity, and the need for greater awareness of challenges and support from business leaders.
The key findings of the research report include the following:
- DB Prime Standard organizations, on average, expose a public attack surface of 88 servers/devices, with many companies exposing over 300 systems/devices.
- Of the appraised organizations, only 15 (5%) have sufficient DMARC configurations in place, with the rest having weak or nonexistent anti-phishing defenses in the public email configuration of their primary email domains. This is the weakest anti-phishing showing of all the Rapid7 ICERs to date.
- SSL/TLS security is enforced on the primary websites of most of the surveyed organizations — only 21 (6%) do not auto-upgrade cleartext HTTP connections to HTTPS.
- Eleven of the eighteen industry sectors had at least one organization with malware infections, with the Software industry being the worst offender when it comes to propagating SMB-based malware.
- Organizations across industry sectors signal how many and which cloud service providers they use in their public domain name system (DNS) metadata, with 82 organizations using between two and 10 cloud service providers. This information can be used to craft highly effective, targeted attacks, among other actions.
- Severely vulnerable services such as Telnet and Windows SMB file-sharing were exposed in only a few organizations, which is positive. However, most organizations in every sector also expose web services that rely on seriously outdated software on their internet-facing systems.