Rapid7's 2021 ICER Takeaways: Version Complexity Among the Fortune 500

Rapid7's 2021 ICER Takeaways: Version Complexity Among the Fortune 500

This blog post covers key takeaways from our 2021 Industry Cyber-Exposure Report (ICER): Fortune 500.

Complexity is the enemy when it comes to successful security outcomes in an organization. Diversity in systems, technologies, and business processes present real, daily challenges for even the most mature security teams, especially when it comes to patch and vulnerability management. Patching even one major vulnerability can be a herculean task in many places. Diversity compounds complexity within each technology component. That is to say, an organization may have multiple web-server technologies in use. Each technology, in turn, may have its own hodgepodge of versions, which directly (negatively) impacts configuration management and patch management.

To get a feel for how these well-resourced organizations are performing in this area, we looked at 3 factors:

The diversity of the portfolio of a selected technology—web servers—in use by each organization
How well an organization maintains this portfolio
How well organizations maintain critical services, such as email gateways

Our findings show that:

Within a single technology stack (web servers), organizations in a staggering number of industries—Business Services, Financials, Healthcare, Leisure, Industrials, Media, Technology—expose 10 or more different versions of Apache and/or Nginx. All industries have 1 or more members exposing 3 or more different versions of IIS. This increases their respective attack surfaces and makes it difficult to deploy patches (when they bother to apply patches) due to testing and quality-assurance complexity.
Organizations have serious difficulty keeping critical IT infrastructure—such as Microsoft Exchange—current. Only around 19% (30 out of 160) of the Fortune 500 that still run self-hosted Microsoft Exchange are running current/supported versions. Further, 18% are running end-of-life versions of Exchange 2007 and 2010, putting them at risk of f ..

Support the originator by clicking the read the rest link below.