The Risky Business: Rapid7 Report Highlights Need for Improved Vulnerability Management Practices

Back in July, Rapid7 released its first-ever National / Industry / Cloud Exposure Report, otherwise known as “NICER.” This report had a big job: to assess not only the prevalence of known threats, but also to provide a geographic census of those threats. It tells the all-too-true story of increasing vulnerabilities and a fast-growing global attack surface, particularly in a time of a global recession and pandemic.

Insights by the numbers

Based on a technical assessment of 24 surveyed service protocols, Rapid7’s NICER revealed key insights about where we’re heading in the right direction, regressing, or staying put, finding:

• Unencrypted, cleartext protocols are still heavily used. There are 42% more plaintext servers than HTTPS, 3 million databases awaiting insecure queries, and 2.9 million routers, switches, and servers accepting Telnet connections.
• Patch and update adoption continues to be slow. NICER shows 3.6 million SSH servers feature versions between five and 14 years old.
• There is good news. NICER reported a 13% year-over-year increase in exposed, dangerous services such as SMB, Telnet, and rsync.

The power of individual organizations

NICER found that top publicly traded companies in some of the wealthiest nations in the world—the United States, United Kingdom, Australia, Germany, and Japan—host a surprisingly high number of known vulnerabilities. Despite their standing in the world, this increased level of exposure is not likely to go away. The good news? Power is in the hands of individual organizations to make the right choices in handling vulnerabilities.

Because security isn’t maintained through technology alone, it’s important to stay current on accurate information and sharing it far and wide. Staying up-to-date means security threat responders can implement and support modern protocols, not simply for internal practice, but for their organization’s customers, partners, and anyone else in its orbit. Consider the following:

• Are you prioritizing “just getting things done” over keeping them secure?
• Does your organization have policies in place for routine patches, upgrades, and replacements?
• Are secure configuration practices part of your web server development and deployment lifecycles (particularly in a move to the cloud)?

Rapid7’s policy assessment capabilities can help with this effort. Featuring pre-built scan templates, as well as a custom policy builder for your unique environment, InsightVM, Rapid7’s leading vulnerability risk management solution, offers a clearer path to compliance with today’s security standards. And if you’re considering a move to the cloud, it provides visibility on the weaknesses affecting the security of cloud infrastructure. Built on a library of best-practice checks from AWS, as well as proprietary checks from Rapid7, InsightVM’s unique Cloud Configuration Assessment identifies misconfigurations and provides easily deployed remediation scripts.

Solving with solutions (that work)

Establishing and maintaining a solid vulnerability management program requires a holistic view of your online risk factor. Rapid7’s InsightVM is not only able to address vulnerabilities, but it also brings teams and people closer, boosts cross-functional morale, and brings a speedier solution with a seamless blend of visibility, assessment, prioritization, and progress measurement.

Gain full visibility into your entire attack surface

InsightVM provides asset inventory for on-premises, remote, virtual, cloud, and containerized assets. Maintain easier organization, tagging, and reporting by creating groups based on asset characteristics.

Accurately assess your ever-changing ecosystem

InsightVM performs targeted vulnerability checking based on the unique profile of each asset. It assesses containers for risk before they’re deployed, assesses the configurations of your cloud infrastructure, and provides policy and compliance assessment.

Prioritize vulnerabilities like an attacker

InsightVM’s Real Risk Score takes into account not just CVSS scores, but also malware and exploit exposure (via Metasploit Framework and Exploit DB), exploitability and ease of use, and vulnerability age. This makes prioritizing vulnerabilities simple and helps to identify your riskiest assets. Additionally, InsightVM offers robust tagging that lets you assign criticality to important systems—such as those hosting sensitive corporate data—so you can prioritize those assets for remediation.

Increase efficient and cross-functional remediation

Not to make InsightVM sound like a cleaning solution, but it kind of is! And its efficiency power extends to integration with ticketing solutions like JIRA and ServiceNow. InsightVM also comes with built-in automation workflows for patching and containment; automate repeatable tasks and accelerate treatment of vulnerabilities.

Track and measure team progress

InsightVM enables easier progress reporting and measuring to all stakeholders in your organization. Robust role-based access controls (RBACs) provide that the right stakeholders have access to the right data. Ensure you’re making—and tracking—progress toward your goals and service-level agreements (SLAs) at an appropriate pace, as well as maintaining compliance with the standards you’ve set for your program.

Advice for successful vulnerability management

The 2020 NICER lays bare the truth of the connected world in 2020: Vulnerability management is simply too thorny of a problem to paint an optimistic picture. However, we all seem to go about our daily online lives with only an occasional, minor bump in the road.

The report wraps on a positive note, with some key pieces of advice for regular hygiene, to continue the cleaning metaphor. If you’re going to put anything on the internet, it should be:

• Exposed deliberately, rather than accidentally.
• Configured securely and designed to perform only the necessary tasks.
• Patched regularly, especially when critical vulnerabilities are identified.
• Monitored mindfully, given you have just increased the attack surface for yourself, your organization, and the internet as a whole.
• Assumed attacked, as attackers do not have the ethical and legal restrictions we do, so they’ll look harder and attack at will.