uk cyber vulnerability index 3013

RISK CONSULTING

An ethical investigation into cyber

security across the FTSE350

UK Cyber Vulnerability

Index 2013What does your online

corporate profi le reveal?

1 | Cyber Vulnerability Index

of the FTSE 350 have out of date and potentially vulnerable web servers.

more than

Cyber Vulnerability Index | 2

KPMG performed research across the FTSE 350 constituent companies (over January to June 2013), with the aim of performing the same initial steps that hackers and organised criminals would perform when profi ling a target organisation for attack or infi ltration. This included some of the techniques used by threat actors often referred to as Advanced Persistent Threats, or ‘APTs’.

Our research focused on fi nding publicly available technical information about the FTSE350 group’s respective corporate IT. We mapped the structure of relevant corporate websites to identify potentially sensitive fi le locations or hidden functionality useful to cyber attackers. We then reviewed the content and meta-data of publicly accessible documents. While navigating the sites, we found interesting internal fi le locations, email addresses and technical data that would stimulate further investigation by hackers. In addition to websites, we also reviewed the content published on selected public sharing websites.

All profi ling information was sourced from the public documents located on the FTSE350 corporate websites, document meta-data, search engines and public internet forums, and no hacking or illegal actions were performed.

How we put together our Index.

The perpetrators of modern cyber attacks – whether these are social activists, criminals, competitors, or national governments – make extensive use of publicly available company information when planning their activity. Technical IT data, such as the versions of software used, usernames and email addresses, and technical details about a fi rm’s web-facing systems is of particular interest to perpetrators.

Such data is almost never relevant to the fi rm’s customers or website visitors, but may end up online due to negligence, defi cient document publishing procedures, or as a result of earlier security breaches. Even so, it is useful to hackers as it helps profi le the target fi rm’s IT and employees, and may reveal weaknesses in the fi rm’s security defences.

Due to the non-intrusive nature of the discovery process, it leaves minimal to no footprint and is therefore diffi cult to detect or protect against. The best course of action may still be minimising the data unnecessarily published in the fi rst place.

How cyber criminals use organisations’ data against them.


1excludes Beverages, Media, Travel & Leisure and Equity Invest Instruments

Corporate websites are supported by a number of web technologies. When a website is accessed, the web server often reveals its software version which is typically hidden from a web browser’s view. The disclosure of these web banner software versions can prove to be of signifi cant value to an attacker when profi ling a remote target site and server.

Out of the 53 percent vulnerable to attack due to missing security patches or outdated server software, the sectors with the highest number of web vulnerabilities1, were;

- Support Services- Software and Computer Services - General Retailers - Mining- Oil and Gas producers- Pharmaceuticals and Biotechnology - Aerospace and Defence- Banks- Telecommunications- General Industrial

Across the whole FTSE 350 group of companies, we identifi ed an

average of three potential web server vulnerabilities per

company, with a total of 1121 vulnerabilities recorded. The highest recorded instance of web server vulnerabilities attributed to one company was 32.

We also noted the large number of development and preproduction web servers during our analysis. In one particular instance we discovered a home-use web server, which provides a signifi cantly lower level of sophistication and security, was in use by a FTSE350 company.

It’s no longer acceptable to patch internal servers and corporate laptops within four weeks of a patch being released. On a recent piece of client work we witnessed a patching policy of 48 hours for internal systems, covering some 2000 servers and 20,000 laptops, which shows what can be done.

What we found - Vulnerable web servers

We observed that over 53 percent of corporate websites were supported

by out-of-date and potentially vulnerable technologies.

“ Telecommunications, Aerospace and Defence, Utilities ,Financial Services, Oil Equipment and Services recorded the highest average vulnerable software”

130Support Services

87Software & Computer Services

23Chemicals

Nonlife Insurance

82 Travel & Leisure

Mining 54

General Industrials

Technology Hardware & Equipment27

Electronic & Electrical Equipment 24

Oil & Gas Producers50

Pharmaceuticals & Biotechnology

42

Banks32

Media

Aerospace & Defence

35

73General Retailers

Telecommunications 55


PPotteenntiiaal wwwweeebb sseeerrrvvvveeerrr

vvulnneraaabbiiliittyyy -- AAAVAVVVVEEEERRRRAAAAAAGGGGEEEE cccoouunnnt

pperr coommmppaaannnyyy ppppeeeerr ssseeecccttttooooorrr [ PPoottenntttiaalll wwwwweeeebbbbb sssseeeeerrvvvvveeeerrr

vvuulneerrraabbbilliiittyyyy ----TTTTTOOOOOTTTAAAAAAALLLLLL

ccoouunt ppeeeerr ssseeeeccctttooooorrr[Looking at the results by industry group, the highest averages for out-of-date web servers were held by:

7 Finan

cial S

ervic

es

6

Oil Equ

ipmen

t & Ser

vices

Pharm

aceu

ticals

& B

iotec

hnolo

gy

6

Health

Care E

quipm

ent &

Servic

es

6

5

Gener

al Reta

ilers

5

Oil Equ

ipmen

t, Ser

vices

& D

istrib

ution

5

Tech

nolog

y Har

dwar

e & Eq

uipmen

t

4

Utilities 4

Aerospace & Defence

5

Banks

4

Support Services 4

Personal Goods

4

Oil & Gas Producers

Gener

al Ind

ustri

al

7

9Soft

ware &

Compu

ter Ser

vices

Telec

ommun

icatio

ns

7


“ Utilities rated worst for leaking internal user names - on average 126 per company”

Support Services

217

16792

80

78

55

5445 45 38

3629

26

24

19

Mining

General Retailers

Oil Equipment, Services & Distribution


Real Estate Investment Trusts

Genera

l Fina

ncial

Oil & Gas

Prod

ucers

Utilitie

s

Indus

trial E

ngine

ering

Softw

are &

Compu

ter Se

rvice

s

Bank

sAero

spac

e & Defe

nce

Life I

nsura

nce

Telec

ommun

icatio

ns


What we found - Sensitive information within meta-data

Meta-data (information stored inside a document about the document itself) often constitutes an information leak as it can provide attackers with a view of corporate network users, their email addresses, the software versions they use to create documents and internal network locations where fi les are stored Information within document.

As part of our research, we were able to

obtain an average of 41 internal

usernames and 44 email addresses per

company. These may be used to facilitate targeted phishing email scams. Looking at the results by industry group, most

internal email address were disclosed by companies in the Aerospace and Defence (212 emails per company), Tobacco (100), Oil Equipment, Services and Distribution (94) and Pharmaceuticals and Biotechnology (93).

What we found - Internal network locations

Internal network locations point to internal server names and assist hackers in gaining an insight into your internet structure2.

We obtained an average

of 41 internal usernames

and 44 email addresses

per company.

2An internal fi le name may look something like \\compxlonserv1\MandA\secretfi le1. 3Excludes Equity investment instruments, Media, Household Goods.

TToottaal rreeccoooorrrdddddeeeeddddd

innttterrnnnaalll fifififilleeee lloooooccccaaaatttttiiooonnss

ppeer sseeecctttoooorr[

We managed to extract an average of fi ve sensitive internal fi le locations per company, with the highest recorded instance of 139 internal fi le locations in one company. The sectors leaking the most internal network locations3 were:


What we found - Hacking forums

Hackers will often share information on potential or already compromised companies as posts on underground forums, using digital whiteboard technology to quickly paste information. These postings often reveal email addresses of individuals to be targeted in ‘spear-phishing4’ attacks, passwords of users on internal and external systems, as well as details internet facing fi rewalls and VPN (Virtual Private Network) hosts.

4 An e-mail spoofi ng fraud attempt that targets a specifi c organisation, seeking “unauthorised access to confi dential data. Source: http://searchsecurity.techtarget.com/defi nition/spear-phishing 5 Numbers based on six month collection period (over January to June 2013). Excludes household goods, travel and leisure

Companies within the following sectors are discussed the most in these forums5:

We found that on average a FTSE 350 company will have 12 postings on these forums relating to sensitive corporate information. The highest recorded instance of posts was 748, related to companies in the General Financial sector. The second and third highest recorded entry related to a company in the Technology Hardware and Equipment sector, with 603 and 346 posts respectively.

- Banking- General Financial- General Retailers- Oil and Gas Producers- Pharmaceuticals and Biotechnology

- Software and Computer Services- Support Services- Technology Hardware and Equipment- Telecommunications- Tobacco

“ Technology Hardware and Equipment had the greatest amount of posts on hacking forums with an average of 163 per company”

16

Mining

18

18

18

20

21

22

Oil Oil E

quipm

ent &

Servic

es

23

Suppo

rt Ser

vices

23

Indus

trial

Engin

eerin

g

25Soft

ware &

Compu

ter Ser

vices

26

Telec

ommun

icatio

ns

26

Gener

al Ind

ustri

als

26

Aeros

pace

& D

efenc

e

27

Banks

Utilities

30

Life Insurance

Oil & Gas Producers

General Financial

Technology Hardware & Equipment


KKPPPMMGGGG

‘HHHiighhh TTThhhhrrreeeeaaattt CCCCCllluuuuuubbbbbb***’’’[ * Sectors most likely to be targeted.Sum of following averages:

- Internal fi le locations - Vulnerable Software - Vulnerable Web Servers


The spotlight is on the Aerospace and Defence sector

Aerospace and Defence stand out as a high risk sector.

Using an email designed to dupe the unsuspecting corporate user, hackers will embed a piece of malware, or a link to a malicious external site. When the user clicks on the link a piece of malware will be delivered to the user’s computer. From this point a user’s machine will be controlled by a third party and data extracted from the corporate network. The hackers will have the same access to everything as the user.

In June 2013, the FBI warned of an increase in criminals using spear-phishing attacks to target multiple industry sectors. (source - http://www.fbi.gov/scams-safety/e-scams)

Did you know?

Used by criminals and foreign intelligence services alike, phishing is the targeting mechanism of choice when penetrating an organisation’s network.

“ Aerospace and Defence leaked the most email addresses with an average of 212 per company”

Many well publicised breaches have occurred in this sector over the years. As a sector, Aerospace and Defence leaked the most email addresses with an average of 212 per company. In addition, the Aerospace and Defence sector had 1209 recorded meta-data email leaks which was the highest recorded across all sectors. The sector also had the highest number of potentially vulnerable software with a total of 34.

Vulnerable software

Hacking forums

Internal fi le locations

Users

Emails

212

53

16

8

6

Average count:

Vulnerable web servers

4


Focus onthe future…


…Companies should look too miniimisse the amount of meta-data that can be associated back tto ttheir company. Plenty of tools exist to strip this data from ddocuments before they are published. People in sennsitivee roles that are likely to be the target of phishing or simmilar cybeer attacks should have little online presence and their emmails should be fi ltered. Such roles include IT administratoors,, heads of research, fi nancial directors and otherr execcutivves with control over vital corporate information oor nettworks. Finally, and critically, CEOs and non-executive directorss shhould scrutinise and challenge what they are beinng told byy their teams about cyber defences, questioning how rrobusst thheir defences are and have they been actively tested. Thhis reqquirres the people at the very top of their organisation to hhave in-ddepth understanding of both the threats and the couuntermmeaasures.

Contact us to fi nd out more

Malcolm Marshall

Partner

T: +44 (0)20 7311 5456 E: [email protected]

Stephen Bonner Partner

T: +44 (0)20 7694 1644 M: [email protected]

Charles Hosner Partner

T: +44 (0)7500 809 597 M: [email protected]

Martin Jordan Head of Cyber Response T: +44 (0)776 846 7896 E: [email protected]

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member fi rm of the KPMG network of independent member fi rms affi liated with KPMG International Cooperative, a Swiss entity. All rights reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

RR Donnelley | RRD-285392 | July 2013 | www.kpmg.co.uk

uk cyber vulnerability index 3013

Data & Analytics