uk cyber vulnerability index 3013
TRANSCRIPT
RISK CONSULTING
An ethical investigation into cyber
security across the FTSE350
UK Cyber Vulnerability
Index 2013What does your online
corporate profi le reveal?
1 | Cyber Vulnerability Index
of the FTSE 350 have out of date and potentially vulnerable web servers.
more than
Cyber Vulnerability Index | 2
KPMG performed research across the FTSE 350 constituent companies (over January to June 2013), with the aim of performing the same initial steps that hackers and organised criminals would perform when profi ling a target organisation for attack or infi ltration. This included some of the techniques used by threat actors often referred to as Advanced Persistent Threats, or ‘APTs’.
Our research focused on fi nding publicly available technical information about the FTSE350 group’s respective corporate IT. We mapped the structure of relevant corporate websites to identify potentially sensitive fi le locations or hidden functionality useful to cyber attackers. We then reviewed the content and meta-data of publicly accessible documents. While navigating the sites, we found interesting internal fi le locations, email addresses and technical data that would stimulate further investigation by hackers. In addition to websites, we also reviewed the content published on selected public sharing websites.
All profi ling information was sourced from the public documents located on the FTSE350 corporate websites, document meta-data, search engines and public internet forums, and no hacking or illegal actions were performed.
How we put together our Index.
The perpetrators of modern cyber attacks – whether these are social activists, criminals, competitors, or national governments – make extensive use of publicly available company information when planning their activity. Technical IT data, such as the versions of software used, usernames and email addresses, and technical details about a fi rm’s web-facing systems is of particular interest to perpetrators.
Such data is almost never relevant to the fi rm’s customers or website visitors, but may end up online due to negligence, defi cient document publishing procedures, or as a result of earlier security breaches. Even so, it is useful to hackers as it helps profi le the target fi rm’s IT and employees, and may reveal weaknesses in the fi rm’s security defences.
Due to the non-intrusive nature of the discovery process, it leaves minimal to no footprint and is therefore diffi cult to detect or protect against. The best course of action may still be minimising the data unnecessarily published in the fi rst place.
How cyber criminals use organisations’ data against them.
3 | Cyber Vulnerability Index
1excludes Beverages, Media, Travel & Leisure and Equity Invest Instruments
Corporate websites are supported by a number of web technologies. When a website is accessed, the web server often reveals its software version which is typically hidden from a web browser’s view. The disclosure of these web banner software versions can prove to be of signifi cant value to an attacker when profi ling a remote target site and server.
Out of the 53 percent vulnerable to attack due to missing security patches or outdated server software, the sectors with the highest number of web vulnerabilities1, were;
- Support Services- Software and Computer Services - General Retailers - Mining- Oil and Gas producers- Pharmaceuticals and Biotechnology - Aerospace and Defence- Banks- Telecommunications- General Industrial
Across the whole FTSE 350 group of companies, we identifi ed an
average of three potential web server vulnerabilities per
company, with a total of 1121 vulnerabilities recorded. The highest recorded instance of web server vulnerabilities attributed to one company was 32.
We also noted the large number of development and preproduction web servers during our analysis. In one particular instance we discovered a home-use web server, which provides a signifi cantly lower level of sophistication and security, was in use by a FTSE350 company.
It’s no longer acceptable to patch internal servers and corporate laptops within four weeks of a patch being released. On a recent piece of client work we witnessed a patching policy of 48 hours for internal systems, covering some 2000 servers and 20,000 laptops, which shows what can be done.
What we found - Vulnerable web servers
We observed that over 53 percent of corporate websites were supported
by out-of-date and potentially vulnerable technologies.
“ Telecommunications, Aerospace and Defence, Utilities ,Financial Services, Oil Equipment and Services recorded the highest average vulnerable software”
130Support Services
87Software & Computer Services
23Chemicals
Nonlife Insurance
82 Travel & Leisure
Mining 54
General Industrials
Technology Hardware & Equipment27
Electronic & Electrical Equipment 24
Oil & Gas Producers50
Pharmaceuticals & Biotechnology
42
Banks32
Media
Aerospace & Defence
35
73General Retailers
Telecommunications 55
Cyber Vulnerability Index | 4
PPotteenntiiaal wwwweeebb sseeerrrvvvveeerrr
vvulnneraaabbiiliittyyy -- AAAVAVVVVEEEERRRRAAAAAAGGGGEEEE cccoouunnnt
pperr coommmppaaannnyyy ppppeeeerr ssseeecccttttooooorrr [ PPoottenntttiaalll wwwwweeeebbbbb sssseeeeerrvvvvveeeerrr
vvuulneerrraabbbilliiittyyyy ----TTTTTOOOOOTTTAAAAAAALLLLLL
ccoouunt ppeeeerr ssseeeeccctttooooorrr[Looking at the results by industry group, the highest averages for out-of-date web servers were held by:
7 Finan
cial S
ervic
es
6
Oil Equ
ipmen
t & Ser
vices
Pharm
aceu
ticals
& B
iotec
hnolo
gy
6
Health
Care E
quipm
ent &
Servic
es
6
5
Gener
al Reta
ilers
5
Oil Equ
ipmen
t, Ser
vices
& D
istrib
ution
5
Tech
nolog
y Har
dwar
e & Eq
uipmen
t
4
Utilities 4
Aerospace & Defence
5
Banks
4
Support Services 4
Personal Goods
4
Oil & Gas Producers
Gener
al Ind
ustri
al
7
9Soft
ware &
Compu
ter Ser
vices
Telec
ommun
icatio
ns
7
5 | Cyber Vulnerability Index
“ Utilities rated worst for leaking internal user names - on average 126 per company”
Support Services
217
16792
80
78
55
5445 45 38
3629
26
24
19
Mining
General Retailers
Oil Equipment, Services & Distribution
Pharmaceuticals & Biotechnology
Real Estate Investment Trusts
Genera
l Fina
ncial
Oil & Gas
Prod
ucers
Utilitie
s
Indus
trial E
ngine
ering
Softw
are &
Compu
ter Se
rvice
s
Bank
sAero
spac
e & Defe
nce
Life I
nsura
nce
Telec
ommun
icatio
ns
Cyber Vulnerability Index | 6
What we found - Sensitive information within meta-data
Meta-data (information stored inside a document about the document itself) often constitutes an information leak as it can provide attackers with a view of corporate network users, their email addresses, the software versions they use to create documents and internal network locations where fi les are stored Information within document.
As part of our research, we were able to
obtain an average of 41 internal
usernames and 44 email addresses per
company. These may be used to facilitate targeted phishing email scams. Looking at the results by industry group, most
internal email address were disclosed by companies in the Aerospace and Defence (212 emails per company), Tobacco (100), Oil Equipment, Services and Distribution (94) and Pharmaceuticals and Biotechnology (93).
What we found - Internal network locations
Internal network locations point to internal server names and assist hackers in gaining an insight into your internet structure2.
We obtained an average
of 41 internal usernames
and 44 email addresses
per company.
2An internal fi le name may look something like \\compxlonserv1\MandA\secretfi le1. 3Excludes Equity investment instruments, Media, Household Goods.
TToottaal rreeccoooorrrdddddeeeeddddd
innttterrnnnaalll fifififilleeee lloooooccccaaaatttttiiooonnss
ppeer sseeecctttoooorr[
We managed to extract an average of fi ve sensitive internal fi le locations per company, with the highest recorded instance of 139 internal fi le locations in one company. The sectors leaking the most internal network locations3 were:
7 | Cyber Vulnerability Index
What we found - Hacking forums
Hackers will often share information on potential or already compromised companies as posts on underground forums, using digital whiteboard technology to quickly paste information. These postings often reveal email addresses of individuals to be targeted in ‘spear-phishing4’ attacks, passwords of users on internal and external systems, as well as details internet facing fi rewalls and VPN (Virtual Private Network) hosts.
4 An e-mail spoofi ng fraud attempt that targets a specifi c organisation, seeking “unauthorised access to confi dential data. Source: http://searchsecurity.techtarget.com/defi nition/spear-phishing 5 Numbers based on six month collection period (over January to June 2013). Excludes household goods, travel and leisure
Companies within the following sectors are discussed the most in these forums5:
We found that on average a FTSE 350 company will have 12 postings on these forums relating to sensitive corporate information. The highest recorded instance of posts was 748, related to companies in the General Financial sector. The second and third highest recorded entry related to a company in the Technology Hardware and Equipment sector, with 603 and 346 posts respectively.
- Banking- General Financial- General Retailers- Oil and Gas Producers- Pharmaceuticals and Biotechnology
- Software and Computer Services- Support Services- Technology Hardware and Equipment- Telecommunications- Tobacco
“ Technology Hardware and Equipment had the greatest amount of posts on hacking forums with an average of 163 per company”
16
Mining
18
18
18
20
21
22
Oil Oil E
quipm
ent &
Servic
es
23
Suppo
rt Ser
vices
23
Indus
trial
Engin
eerin
g
25Soft
ware &
Compu
ter Ser
vices
26
Telec
ommun
icatio
ns
26
Gener
al Ind
ustri
als
26
Aeros
pace
& D
efenc
e
27
Banks
Utilities
30
Life Insurance
Oil & Gas Producers
General Financial
Technology Hardware & Equipment
Pharmaceuticals & Biotechnology
KKPPPMMGGGG
‘HHHiighhh TTThhhhrrreeeeaaattt CCCCCllluuuuuubbbbbb***’’’[ * Sectors most likely to be targeted.Sum of following averages:
- Internal fi le locations - Vulnerable Software - Vulnerable Web Servers
Cyber Vulnerability Index | 8
The spotlight is on the Aerospace and Defence sector
Aerospace and Defence stand out as a high risk sector.
Using an email designed to dupe the unsuspecting corporate user, hackers will embed a piece of malware, or a link to a malicious external site. When the user clicks on the link a piece of malware will be delivered to the user’s computer. From this point a user’s machine will be controlled by a third party and data extracted from the corporate network. The hackers will have the same access to everything as the user.
In June 2013, the FBI warned of an increase in criminals using spear-phishing attacks to target multiple industry sectors. (source - http://www.fbi.gov/scams-safety/e-scams)
Did you know?
Used by criminals and foreign intelligence services alike, phishing is the targeting mechanism of choice when penetrating an organisation’s network.
“ Aerospace and Defence leaked the most email addresses with an average of 212 per company”
Many well publicised breaches have occurred in this sector over the years. As a sector, Aerospace and Defence leaked the most email addresses with an average of 212 per company. In addition, the Aerospace and Defence sector had 1209 recorded meta-data email leaks which was the highest recorded across all sectors. The sector also had the highest number of potentially vulnerable software with a total of 34.
Vulnerable software
Hacking forums
Internal fi le locations
Users
Emails
212
53
16
8
6
Average count:
Vulnerable web servers
4
9 | Cyber Vulnerability Index
Focus onthe future…
Cyber Vulnerability Index | 10
…Companies should look too miniimisse the amount of meta-data that can be associated back tto ttheir company. Plenty of tools exist to strip this data from ddocuments before they are published. People in sennsitivee roles that are likely to be the target of phishing or simmilar cybeer attacks should have little online presence and their emmails should be fi ltered. Such roles include IT administratoors,, heads of research, fi nancial directors and otherr execcutivves with control over vital corporate information oor nettworks. Finally, and critically, CEOs and non-executive directorss shhould scrutinise and challenge what they are beinng told byy their teams about cyber defences, questioning how rrobusst thheir defences are and have they been actively tested. Thhis reqquirres the people at the very top of their organisation to hhave in-ddepth understanding of both the threats and the couuntermmeaasures.
Contact us to fi nd out more
Malcolm Marshall
Partner
T: +44 (0)20 7311 5456 E: [email protected]
Stephen Bonner Partner
T: +44 (0)20 7694 1644 M: [email protected]
Charles Hosner Partner
T: +44 (0)7500 809 597 M: [email protected]
Martin Jordan Head of Cyber Response T: +44 (0)776 846 7896 E: [email protected]
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member fi rm of the KPMG network of independent member fi rms affi liated with KPMG International Cooperative, a Swiss entity. All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
RR Donnelley | RRD-285392 | July 2013 | www.kpmg.co.uk