A deep dive into the security of Fortune 500 organizations reveals they have improved, albeit "slowly and unevenly," with gains made in email security and vulnerability disclosure programs (VDPs) and progress lagging in asset management and high-risk services, researchers report.
Rapid7's "Internet Cyber-Exposure Report" aims to highlight critical security issues for the CISO, IT security staff, and internal business partners in an enterprise. Its analysis is broken down into five areas of risk: email security, encryption for public Web applications, version management for Web and email servers, risky protocols unsuitable for the Internet, and the increase in VDPs.
Starting with the positive trends, email security improved within the Fortune 500 as valid Domain-based Message Authentication, Reporting, and Conformance (DMARC) configurations reached 379, a 13% increase from 314 at the end of 2019. This means roughly 76% of the Fortune 500 has valid DMARC implementations, though adoption is highest in finance.
A properly implemented DMARC system can pinpoint illegitimate emails and determine how those messages should be handled. Depending on the IT administrator, DMARC can be configured to handle suspicious emails with different degrees of severity. The system can help block business email compromise (BEC) attacks, a common attack against the Fortune 500.
"That gets slightly harder when you have good DMARC," Tod Beardsley, director of research for Rapid7, says of BEC. If an employee gets an email from the CFO requesting a wire transfer, chances are higher it's actually the CFO sending the request.
Another promising finding was in the growth of VDPs. Of the top 100 companies studied, 46 have a VDP. While the percentage of all Fortune 500 companies running a VDP is lower, at 20%, it's more than ..