FT30 Firms at Risk from Equifax-Style Breach

FT30 Firms at Risk from Equifax-Style Breach

The UK’s top companies could be at risk from an Equifax-style breach after new research from RiskIQ found that they are each running on average over 200 vulnerable servers and web frameworks.

The security vendor analyzed the FT30 group of firms to get a representative sample of UK companies, studying 99,467 live websites and associated infrastructure.

It found 5127 vulnerable servers – an average of 171 per organization – and 68 vulnerable frameworks per firm.

Credit agency Equifax was breached after attackers exploited a known vulnerability in the Apache Struts web application framework, allowing them to access highly sensitive data on 145.5 million Americans and nearly 700,00 British customers.

The bad news doesn’t end there for UK firms: RiskIQ also found 1051 expired certificates – 35 per organization – and 7503 untrusted certificates, or 250 per organization.

This could open these firms up to further security risks if data is not transmitted securely, and will lead to users being presented with a warning message in their browser not to visit the affected pages.

RiskIQ also found 574 OpenSSL instances, or 19 per organization, that are potentially vulnerable to Heartbleed and 1332 SHA-1 certificates now considered unsafe.

On average, each FT30 firm studied was running 440 pages collecting user info of one sort or another via login boxes or data input forms.

Unfortunately, nearly a third (29%) were using no encryption and 5% were using old encryption or expired certificates, exposing these organizations to the risk of breaches and – soon – possible GDPR fines.

Part of the problem is the rapid expansion of companies’ web presence, leading to much infrastructure being created outside of the IT department’s control.

For example, RiskIQ spotted a "long tail" of registrars outside the trusted small group used for most web domain registrations, indicating a decentralized process.

In fact, over 4000 domains – or more than 130 per firm – were registered with an employee email address as contact. This can cause issues with domain renewals when this employee leaves or changes roles, said the vendor.

The firm told Infosecurity that organizations need to appoint dedicated external threat teams consisting of analyst 'hunters' responsible for working with incident response teams and 'defenders' focused on reducing the attack surface, for example by uncovering new flaws.

“The growth of digital assets is occurring ‘outside the firewall’ and is not protected by the layers of defense that sit inside the corporate network which includes both the investment in security products and the security teams tasked with managing those solutions,” it added. 

Source: Information Security Magazine