FTSE 250 companies are hosting a high number of unpatched services with known vulnerabilities, according to a cloud-based security analytics company. A report by Rapid7, National Industry Cloud Exposure Report (NICER) uncovers known vulnerabilities in the financial services and telecommunications industry, with each industry having 10,000 high-rated common vulnerabilities and exposures (CVEs) across their public-facing assets.
The report predicts that despite the collective reservoirs of wealth and expertise within these companies, this level of vulnerability exposure is unlikely to get better during global recession. Besides the FTSE 250, Rapid7’s report looked at the Fortune 500, Deutsche Börse Prime Standard 320, ASX 200 and Nikkei 225. It found that 611 companies within these are hosting a high number of unpatched services with known vulnerabilities. This includes 11,630 vulnerabilities within 107 large technology companies alone.
Moreover, patch and update adoption continues to be slow, especially in remote console access where, for example, 3.6 million secure shell (SSH) servers are sporting versions between five and 14 years old. Unencrypted, cleartext protocols are still heavily used with 42 per cent more plaintext HTTP servers than HTTPS, 3 million databases awaiting insecure queries, and 2.9 million routers, switches, and servers accepting Telnet connections.
Rapid7 says it offers a data-backed analysis of the changing internet risk landscape, measuring the prevalence and geographic distribution of commonly known exposures in inter-connected technologies. Tod Beardsley, research director at Rapid7 said: “FTSE 250 companies may be the leading organisations in the UK size-wise, but they’re also some of the biggest targets to cyber attackers. One of the findings that surprised me is the prevalence of un-securable SMB servers that exist within these organisations, showing that UK organisations have not yet learned the lessons of WannaCry, which cost the NHS more than £92 million a couple of years ago.
“My advice to IT teams within FTSE 250 organisations is to bake in regular patching windows and decommissioning schedules to their internet-facing infrastructure.”
