KPMG performed research on the FTSE 350 constituent companies to analyze their cybersecurity vulnerabilities from publicly available information on corporate websites and documents. They found that over 53% of corporate websites were supported by outdated and vulnerable web server software. On average, they identified 3 potential vulnerabilities per company. They also found companies leaked sensitive internal information through metadata in documents, including an average of 41 usernames and 44 email addresses per company. Certain sectors like utilities leaked the most internal usernames. The report concludes that companies should minimize publishing unnecessary information and better protect sensitive employee accounts and roles to reduce cyber risks.
1. RISK CONSULTING
An ethical investigation into cyber
security across the FTSE350
UK Cyber
Vulnerability
Index 2013
What does your online
corporate profile reveal?
2. 1 | Cyber Vulnerability Index
of the FTSE 350 have out
of date and potentially
vulnerable web servers.
more than
3. Cyber Vulnerability Index | 2
KPMG performed research across the FTSE 350
constituent companies (over January to June 2013), with
the aim of performing the same initial steps that hackers
and organised criminals would perform when profiling a
target organisation for attack or infiltration.This included
some of the techniques used by threat actors often
referred to as Advanced PersistentThreats, or ‘APTs’.
Our research focused on finding publicly available technical information about the
FTSE350 group’s respective corporate IT.We mapped the structure of relevant corporate
websites to identify potentially sensitive file locations or hidden functionality useful to
cyber attackers.We then reviewed the content and meta-data of publicly accessible
documents.While navigating the sites, we found interesting internal file locations, email
addresses and technical data that would stimulate further investigation by hackers. In
addition to websites, we also reviewed the content published on selected public sharing
websites.
All profiling information was sourced from the public documents located on the FTSE350
corporate websites, document meta-data, search engines and public internet forums, and
no hacking or illegal actions were performed.
How we put together our Index.
The perpetrators of modern cyber attacks – whether
these are social activists, criminals, competitors, or
national governments – make extensive use of publicly
available company information when planning their
activity.Technical IT data, such as the versions of software
used, usernames and email addresses, and technical
details about a firm’s web-facing systems is of particular
interest to perpetrators.
Such data is almost never relevant to the firm’s customers or website visitors, but may
end up online due to negligence, deficient document publishing procedures, or as a
result of earlier security breaches. Even so, it is useful to hackers as it helps profile the
target firm’s IT and employees, and may reveal weaknesses in the firm’s security
defences.
Due to the non-intrusive nature of the discovery process, it leaves minimal to no
footprint and is therefore difficult to detect or protect against.The best course
of action may still be minimising the data unnecessarily published in the first place.
How cyber criminals use organisations’ data against them.
4. 3 | Cyber Vulnerability Index
1
excludes Beverages, Media,Travel & Leisure and Equity Invest Instruments
Corporate websites are supported by a number of web
technologies.When a website is accessed, the web server often
reveals its software version which is typically hidden from a web
browser’s view.The disclosure of these web banner software
versions can prove to be of significant value to an attacker when
profiling a remote target site and server.
Out of the 53 percent vulnerable to attack due to missing security
patches or outdated server software, the sectors with the highest
number of web vulnerabilities1
, were;
- Support Services
- Software and Computer Services
- General Retailers
- Mining
- Oil and Gas producers
- Pharmaceuticals and Biotechnology
- Aerospace and Defence
- Banks
- Telecommunications
- General Industrial
Across the whole FTSE 350 group of companies, we identified an
average of three potential web server vulnerabilities per
company, with a total of 1121 vulnerabilities recorded.The highest
recorded instance of web server vulnerabilities attributed to one
company was 32.
We also noted the large number of development and preproduction
web servers during our analysis. In one particular instance we
discovered a home-use web server, which provides a significantly
lower level of sophistication and security, was in use by a FTSE350
company.
It’s no longer acceptable to patch internal servers and corporate laptops
within four weeks of a patch being released. On a recent piece of client
work we witnessed a patching policy of 48 hours for internal systems,
covering some 2000 servers and 20,000 laptops, which shows what
can be done.
What we found -Vulnerable web servers
We observed that over 53 percent of corporate websites were supported
by out-of-date and potentially vulnerable technologies.
5. “Telecommunications, Aerospace and Defence, Utilities ,Financial
Services, Oil Equipment and Services recorded the highest
average vulnerable software”
130
Support Services
87
Software & Computer Services
23
Chemicals
Nonlife Insurance
82 Travel & Leisure
Mining
54
General Industrials
Technology Hardware & Equipment
27
Electronic & Electrical Equipment
24
Oil & Gas Producers
50
Pharmaceuticals
& Biotechnology
42
Banks
32
Media
Aerospace & Defence
35
73General Retailers
Telecommunications 55
Cyber Vulnerability Index | 4
PPotteenntiiaal wwwweeebb sseeerrrvvvveeerrr
vvulnneraaabbiiliittyyy -- AAAVAVVVVEEEERRRRAAAAAAGGGGEEEE cccoouunnnt
pperr coommmppaaannnyyy ppppeeeerr ssseeecccttttooooorrr[ PPoottenntttiaalll wwwwweeeebbbbb sssseeeeerrvvvvveeeerrr
vvuulneerrraabbbilliiittyyyy ----TTTTTOOOOOTTTAAAAAAALLLLLL
ccoouunt ppeeeerr ssseeeeccctttooooorrr[
Looking at the results by industry group, the highest averages for out-of-date web servers were held by:
7
FinancialServices
6
OilEquipment&
Services
Pharmaceuticals&
Biotechnology
6
HealthCareEquipment&
Services
6
5
GeneralRetailers
5
OilEquipment,Services&
Distribution
5
TechnologyHardware&
Equipment
4
Utilities
4
Aerospace&
Defence
5
Banks
4
SupportServices
4
PersonalGoods
4
Oil&
GasProducers
GeneralIndustrial
7
9 Software&
ComputerServices
Telecommunications
7
6. 5 | Cyber Vulnerability Index
“Utilities rated worst for leaking internal user
names - on average 126 per company”
7. Support Services
217
16792
80
78
55
54
45 45 38
36
29
26
24
19
M
ining
GeneralRetailers
OilEquipment,Services&
Distribution
Pharmaceuticals&
Biotechnology
RealEstateInvestmentTrusts
GeneralFinancial
Oil&
GasProducers
Utilities
IndustrialEngineering
Software&
ComputerServices
Banks
Aerospace&
Defence
LifeInsurance
Telecommunications
Cyber Vulnerability Index | 6
What we found - Sensitive information within meta-data
Meta-data (information stored inside a document about
the document itself) often constitutes an information
leak as it can provide attackers with a view of corporate
network users, their email addresses, the software
versions they use to create documents and internal
network locations where files are stored Information
within document.
As part of our research, we were able to
obtain an average of 41 internal
usernames and 44 email addresses per
company.These may be used to facilitate
targeted phishing email scams. Looking at
the results by industry group, most
internal email address were disclosed by
companies in the Aerospace and Defence
(212 emails per company),Tobacco (100),
Oil Equipment, Services and Distribution
(94) and Pharmaceuticals and
Biotechnology (93).
What we found - Internal network locations
Internal network locations point to internal server names and
assist hackers in gaining an insight into your internet structure2
.
We obtained an average
of 41 internal usernames
and 44 email addresses
per company.
2
An internal file name may look something like compxlonserv1MandAsecretfile1.
3
Excludes Equity investment instruments, Media, Household Goods.
TToottaal rreeccoooorrrdddddeeeeddddd
innttterrnnnaalll fifififilleeee lloooooccccaaaatttttiiooonnss
ppeer sseeecctttoooorr[
We managed to extract an average of five sensitive internal file locations per company,
with the highest recorded instance of 139 internal file locations in one company.
The sectors leaking the most internal network locations3
were:
8. 7 | Cyber Vulnerability Index
What we found - Hacking forums
Hackers will often share information on potential
or already compromised companies as posts on
underground forums, using digital whiteboard
technology to quickly paste information.These
postings often reveal email addresses of individuals
to be targeted in ‘spear-phishing4
’ attacks, passwords
of users on internal and external systems, as well
as details internet facing firewalls andVPN (Virtual
Private Network) hosts.
4
An e-mail spoofing fraud attempt that targets a specific organisation, seeking “unauthorised access to confidential data. Source: http://searchsecurity.techtarget.com/definition/spear-phishing
5
Numbers based on six month collection period (over January to June 2013). Excludes household goods, travel and leisure
Companies within the following sectors are discussed the most in these forums5
:
We found that on average a FTSE 350 company will have 12 postings on these
forums relating to sensitive corporate information.The highest recorded instance of
posts was 748, related to companies in the General Financial sector.The second and
third highest recorded entry related to a company in theTechnology Hardware and
Equipment sector, with 603 and 346 posts respectively.
- Banking
- General Financial
- General Retailers
- Oil and Gas Producers
- Pharmaceuticals and Biotechnology
- Software and Computer Services
- Support Services
- Technology Hardware and Equipment
- Telecommunications
- Tobacco
“Technology Hardware and Equipment
had the greatest amount of posts on hacking
forums with an average of 163 per company”
16
M
ining
18
18
18
20
21
22
OilOilEquipment&
Services
23
SupportServices
23
IndustrialEngineering
25
Software&
ComputerServices
26
Telecommunications
26
GeneralIndustrials
26
Aerospace&
Defence
27
Banks
Utilities
30
LifeInsurance
Oil&
GasProducers
GeneralFinancial
TechnologyHardware&
Equipment
Pharmaceuticals&
Biotechnology
KKPPPMMGGGG
‘HHHiighhhTTThhhhrrreeeeaaattt CCCCCllluuuuuubbbbbb***
’’’
[*
Sectors most likely to be targeted.
Sum of following averages:
- Internal file locations
- Vulnerable Software
- Vulnerable Web Servers
9. Cyber Vulnerability Index | 8
The spotlight is on theAerospace and Defence sector
Aerospace and Defence stand out as a high risk sector.
Using an email designed to dupe the unsuspecting corporate user, hackers will
embed a piece of malware, or a link to a malicious external site.When the user
clicks on the link a piece of malware will be delivered to the user’s computer.
From this point a user’s machine will be controlled by a third party and data
extracted from the corporate network.The hackers will have the same access to
everything as the user.
In June 2013, the FBI warned of an increase in criminals using spear-phishing
attacks to target multiple industry sectors.
(source - http://www.fbi.gov/scams-safety/e-scams)
Did you know?
Used by criminals and foreign intelligence services alike,
phishing is the targeting mechanism of choice when
penetrating an organisation’s network.
“Aerospace and Defence
leaked the most email addresses
with an average of 212 per company”
Many well publicised breaches have occurred in this sector over the years. As a sector,
Aerospace and Defence leaked the most email addresses with an average of 212 per
company. In addition, the Aerospace and Defence sector had 1209 recorded meta-data
email leaks which was the highest recorded across all sectors.The sector also had the
highest number of potentially vulnerable software with a total of 34.
Vulnerablesoftware
Hackingforums
Internalfilelocations
Users
Emails
212
53
16
8
6
Average count:
Vulnerablewebservers
4
10. 9 | Cyber Vulnerability Index
Focus on
the future…
11. Cyber Vulnerability Index | 10
…Companies should look too miniimisse the amount of meta-
data that can be associated back tto ttheir company. Plenty
of tools exist to strip this data from ddocuments before they
are published. People in sennsitivee roles that are likely to be
the target of phishing or simmilar cybeer attacks should have
little online presence and their emmails should be filtered.
Such roles include IT administratoors,, heads of research,
financial directors and otherr execcutivves with control over
vital corporate information oor nettworks. Finally, and critically,
CEOs and non-executive directorss shhould scrutinise and
challenge what they are beinng told byy their teams about cyber
defences, questioning how rrobusst thheir defences are and have
they been actively tested.Thhis reqquirres the people at the very
top of their organisation to hhave in-ddepth understanding of
both the threats and the couuntermmeaasures.