Cyber Security

Exposing Dirty Habits: Perth’s Cyber Riskers Meetup

T By Tony Campbell

he recent Cyber Risk Meetup in Perth demonstrated well the West Australian cyber community’s enthusiasm, strength and passion for learning. With an enticing title, “Exposing Dirty Habits”, the event kicked off in GHD Digital’s offices on Hay Street, with a very relevant discussion on big company exposures. It was delivered by Rapid7’s Vice President for APAC, Neil Campbell, who has a long and interesting career spanning law enforcement, forensics, cyber technology and consulting, through to most recently, sales. Neil’s presentation entitled, The State of Security for Australia’s ASX 200 Orgs, focused on the key finding from Rapid7’s recently published report on ASX 200 companies and their cyber exposures. He covered the following aspects on a sector-by-sector basis: • Number of exposed servers and devices; • exposure to known common attacks; • susceptibility to phishing attacks; • evidence of infection from malware; • third-party dependencies share risk; and • evidence of vulnerability management. As Neil explained, ASX 200 organisations are amongst the most well-funded and well-resourced in Australia. Each of these organisations will undoubtedly spend a significant amount of money each year on cyber security (likely into millions of dollars), but Rapid7 was able to discover many systemic cyber risks and exposures across every sector represented in the report. A frightening fact was that Rapid7 showed ASX 200 organisations to have, on average, a public attack surface exposing 29 servers/devices, while many of them had more

24 | Australian Security Magazine

like 200–300 systems/devices directly reachable over the open Internet. Furthermore, none of the examined industry sectors were free from malware infections, with many individual companies signalling to Rapid7’s honeypot network, known as Project Heisenberg[1]. How Did Rapid7 Gather This Data? The data that Rapid7 collected for this report was gathered using active scanning and special DNS queries. However, one additional capability Rapid7 has established, known as Project Heisenberg, is a global array of passive network sensors that advertise services such as HTTP/HTTPS, Telnet, SMB etc. As Neil said, no genuine Internet traffic should be hitting those systems, so when they do receive a connection from organisations, it’s a great indicator that they are compromised. A further worrying statistic that Neil shared was that most ASX 200 companies don’t employ industry best practice for spam mitigation. 67% of the organisations could enhance their security posture by simply using DMARC (Domainbased Message Authentication, Reporting & Conformance) to their email infrastructure[1]. Exposed weak services was another major problem, with some organisations having open Telnet and Windows file-sharing (the security nightmare that is SMB). Each one of these exposed services elevates the organisation’s risk and exposure. ASX organisations in every sector had serious issues with patch/version management of business-critical internet-facing systems. It is vital that organisations make configuration and patch management of internet-facing systems a top priority.