Rapid7 Releases 2020 NICER Report

Rapid7 has just released the 2020 National / Industry / Cloud Exposure Report, affectionately called the NICER report (you know, like “ATM machine” and “SCUBA apparatus”). This work is, in my humble opinion, the most comprehensive census of internet-based cyber-exposure yet. We pushed our world-class data science team (and their many wonderful toys) to its very limits to produce this report, in which we set out to find just how exposed the internet is today. As we all turn to the internet to fulfill our social needs during the global pandemic lockdown, it’s more crucial than ever that we actually measure and understand how core concepts like vulnerability management, cryptography, and service exposure all contribute to the security and availability of this culture-defining invention.

But, that’s not to say the report is inaccessible—you’ll find that we sprinkled in enough fascinating facts, mini-case-studies, and dumb jokes to keep you rolling through. We also expect to be talking about this on an upcoming episode of Security Nation, and probably a ton of other venues in the coming weeks and months. There’s a lot of material to cover and a lot of different ways to look at it, so we’ll be exploring this space for a while yet.

But, just to get you all prepared to dive in, here are the key findings we present in the 2020 NICER report:

• A technical assessment of the 24 service protocols surveyed finds that, on the whole, unencrypted, cleartext protocols are still the rule, rather than the exception, on how information flows around the world, with 42% more plaintext HTTP servers than HTTPS, 3 million databases awaiting insecure queries, and 2.9 million routers, switches, and servers accepting Telnet connections.
• Patch and update adoption continues to be slow, even for modern services with reports of active exploitation. This is particularly true in the areas of email handling and remote console access where, for example, 3.6 million SSH servers are sporting versions between five and 14 years old.
• The top publicly traded companies of the United States, the United Kingdom, Australia, Germany, and Japan are hosting a surprisingly high number of unpatched services with known vulnerabilities, especially in financial services and telecommunications, which each have ~10,000 high-rated CVEs across their public-facing assets. Despite their vast collective reservoirs of wealth and expertise, this level of vulnerability exposure is unlikely to get better in a time of global recession.
• One bit of positive news was that we found the population of insecure services has gone down over the past year, with an average 13% decrease in exposed, dangerous services such as SMB, Telnet, and rsync, crushing the doom-and-gloom predicted jump of newly exposed insecure services such as Telnet and SMB, despite the sudden shift to work-at-home for millions of people and the continued rise of Internet of Things (IoT) devices crowding residential networks.

While the sky most certainly is not falling, we are not suggesting that the status quo is okay. Far from it. We encourage organizations, legislators, regulators, infrastructure providers, and standards-bearers to use this document as a both a reference (for mostly what not to do) and a catalyst for innovation and experimentation that will help make the internet a safer place for discourse, learning, and commerce.