Rapid7 NICER – starting a conversation on internet security | Company Report – FinTech Magazine – The FinTech & InsurTech Platform

There has never been a more opportune moment than now to discuss internet security: the COVID-19 pandemic has forced many companies and individuals to reconsider their basic operations, reimagine manual processes and also vindicated the effectiveness of remote working. A consequence of the modern worlds reliance on digital technology is the near-constant vigilance required to ensure its integrity; far from being a static issue which can be addressed satisfactorily with yesterdays tech, a spirit of innovation and honest critical evaluation is required to understand and remedy the underlying problems which threaten to disrupt us. To spur on a debate and engage developers, regulatory authorities and the wider community, security specialist Rapid7 has released NICER 2020 (National / Industry / Cloud Exposure Report), the most comprehensive census of the modern internet risk landscape ever completed.

Speaking to us on Zoom with a background representing a visualised map of the internet, Tod Beardsley, Director of Research at Rapid7, emphasises that NICER is an attempt to spur the world into affirmative action, We're hoping that this report helps people make informed decisions about what they should be putting on the internet, what they shouldn't and what their local neighbourhoods might look like. NICER is being released for free; Rapid7 wants everybody to pick this up and peruse it. A comprehensive document split into 16 sections and three appendices, NICER is the result of four years worth of research, although it starts with a relatively modern focus: the effect of the global pandemic on internet security, which, Beardsley states, was surprising. We were planning things out in January and February and then the world came crashing down. I thought, Hang on, let's redo all our scans; surely has fundamentally changed. However, we found no effect at all. In fact, the results showed a reduction in dangerous services, most notably Windows SMB (service message block) network protocols.

However, this unexpected good news shouldnt lull people into a false sense of security - the myth of the silver city, to quote the report - Beardsley is adamant that vigilance and proactivity are the keys to success. The problem [with the perception that progress is being made] is that we're not going in that direction fast enough, which is re-emphasised in NICER: ...the security of the internet still trails the desire to just get things working, and working quickly. This sentiment roughly encapsulates the challenge faced by those endeavouring to bolster internet security: to construct an efficient operating model which doesnt sacrifice integrity, with necessary updates and patches implemented in a timely and consistent manner. The report can help facilitate the achievement of this goal by providing hard data that developers can reference as they seek out solutions.

In terms of cyberattacks themselves, Beardsley states that they continue to include conventional phishing scams as well as more advanced methods, such as exploiting known vulnerabilities and old software that's on the edge. The report includes a summary of the most exposed countries by total attack surface, exposure to selected services, vulnerability rate and other metrics. While countries such as the US and China might bring no surprises for their high-risk factor, NICER also includes some surprises such as Canada (9) ranking higher than Iran (10), despite the former having a population density almost 50% lower than the latter. This is a perfect example of the reports ability to correct potentially damaging preconceptions. Iran is very technically savvy but it is more reliant on client-oriented internet (mobile phone networks, etc), whereas Canada has a lot more in the way of wired infrastructure and servers.

NICERs information about entire countries enables each to identify its own neighbourhood and measure its progress relative to others, but what about specific industries? The report also includes a graph measuring each sectors vulnerable assets, revealing that highly essential services - telecoms, financial services, retail and pharma - are amongst the most exposed, including some of the largest organisations on the FTSE 100, Fortune 500 and Nikkei Index. These companies have the resources to be great at security, but, ultimately, it's not their job, says Beardsley. And a lot of these companies are over 10 years old and havent gotten around to upgrading, particularly if everything still appears to be working fine. The blight of legacy network protocols is also problematic, with some like FTP (file transfer protocol) dating back to the 1970s and possessing no inherent cryptographic assurances. Maintaining patch and version management, therefore, is essential. With cloud also continuing to be adopted more widely, Beardsley states that the information on this topic explored in NICER will be developed further into a forthcoming report at the end of 2020.

Policymakers, too, have a crucial role to play - as stated in NICER: The pen Is mightier than the firewall. Rapid7s report aims to supply regulators and legislators of all kinds with the necessary information needed to focus their attentions. Legislators and even cyber insurers want to look at this stuff to understand what's acceptable and what's not. I think policymakers have a pretty critical role, both in terms of understanding risk management and understanding like how the internet itself works. Citing their ability to find effective solutions to problems which are still economically viable, Beardsley also believes that policymakers ability to bring pressing issues to the forefront of peoples attention makes them an invaluable ally. They can sound the national security alarm and people will listen, he adds.

Go here to read the rest:
Rapid7 NICER - starting a conversation on internet security | Company Report - FinTech Magazine - The FinTech & InsurTech Platform

Related Post

Comments are closed.