RAPID7
NICER – starting a conversation on internet security
DIGITAL REPORT 2020
02
03
Rapid7 NICER – starting a conversation on internet security
w w w.ra pid 7. com
RAPID7 – NICER
Tod Beardsley, Director of Research at Rapid7, outlines the company’s recently released NICER report and why everyone can do better on online security
T
here has never been a more opportune moment than now to discuss internet security: the COVID-19 pandemic has
forced many companies and individuals to reconsider their basic operations, reimagine manual processes and also vindicated the effectiveness 04
of remote working. A consequence of the modern world’s reliance on digital technology is the nearconstant vigilance required to ensure its integrity; far from being a static issue which can be addressed satisfactorily with yesterday’s tech, a spirit of innovation and honest critical evaluation is required to understand and remedy the underlying problems which threaten to disrupt us. To spur on a debate and engage developers, regulatory authorities and the wider community, security specialist Rapid7 has released NICER 2020 (National / Industry / Cloud Exposure Report), the most comprehensive census of the modern internet risk landscape ever completed. Speaking to us on Zoom with a background representing a visualised ‘map’ of the internet,
05
w w w.ra pid 7. com
RAPID7 – NICER
Confessions of a Former CISO: Shaming People for Bad Security CLICK TO WATCH
|
5:40
06 Tod Beardsley, Director of Research
the effect of the global pandemic on
at Rapid7, emphasises that NICER is an
internet security, which, Beardsley
attempt to spur the world into affirmative
states, was surprising. “We were plan-
action, “We’re hoping that this report
ning things out in January and February
helps people make informed decisions
and then the world came crashing
about what they should be putting on
down. I thought, ‘Hang on, let’s redo
the internet, what they shouldn’t and
all our scans; surely has fundamentally
what their local ‘neighbourhoods’ might
changed’. However, we found no effect
look like. NICER is being released for
at all.” In fact, the results showed a
free; Rapid7 wants everybody to pick
reduction in dangerous services, most
this up and peruse it.” A comprehensive
notably Windows SMB (service mes-
document split into 16 sections and three
sage block) network protocols.
appendices, NICER is the result of four
However, this unexpected good
years’ worth of research, although it
news shouldn’t lull people into a false
starts with a relatively modern focus:
sense of security – the “myth of
the silver city”, to quote the report –
In terms of cyberattacks themselves,
Beardsley is adamant that vigilance
Beardsley states that they continue to
and proactivity are the keys to success.
include conventional ‘phishing’ scams
“The problem [with the perception that
as well as more advanced methods,
progress is being made] is that we’re
such as “exploiting known vulner-
not going in that direction fast enough,”
abilities and old software that’s on
which is re-emphasised in NICER: “...
the edge.” The report includes a sum-
the security of the internet still trails
mary of the ‘most exposed’ countries
the desire to just get things working,
by total attack surface, exposure to
and working quickly.” This sentiment
selected services, vulnerability rate
roughly encapsulates the challenge
and other metrics. While countries
faced by those endeavouring to bolster
such as the US and China might bring
internet security: to construct an effi-
no surprises for their high-risk factor,
cient operating model which doesn’t
NICER also includes some surprises
sacrifice integrity, with necessary
such as Canada (9) ranking higher than
updates and patches implemented in a timely and consistent manner. The report can help facilitate the achievement of this goal by providing hard data that developers can reference as they seek out solutions.
w w w.ra pid 7. com
07
RAPID7 – NICER
08
Iran (10), despite the former having
own ‘neighbourhood’ and measure
a population density almost 50% lower
its progress relative to others, but
than the latter. This is a perfect exam-
what about specific industries? The
ple of the report’s ability to correct
report also includes a graph measur-
potentially damaging preconceptions.
ing each sector’s vulnerable assets,
“Iran is very technically savvy but it is
revealing that highly essential services
more reliant on client-oriented internet
– telecoms, financial services, retail
(mobile phone networks, etc), whereas
and pharma – are amongst the most
Canada has a lot more in the way of
exposed, including some of the larg-
wired infrastructure and servers.”
est organisations on the FTSE 100,
NICER’s information about entire countries enables each to identify its
Fortune 500 and Nikkei Index. “These companies have the resources to be
great at security, but, ultimately, it’snot
NICER will be developed further into
their job,” says Beardsley. “And a
a forthcoming report at the end
lot of these companies are over 10
of 2020.
years old and haven’t gotten around
Policymakers, too, have a crucial
to upgrading, particularly if everything
role to play – as stated in NICER:
still appears to be working fine.” The
“The pen Is mightier than the firewall.”
blight of legacy network protocols
Rapid7’s report aims to supply regula-
is also problematic, with some like
tors and legislators of all kinds with
FTP (file transfer protocol) dating
the necessary information needed
back to the 1970s and possessing no
to focus their attentions. “Legislators
inherent cryptographic assurances.
and even cyber insurers want to look
Maintaining patch and version man-
at this stuff to understand what’s
agement, therefore, is essential. With
acceptable and what’s not. I think
cloud also continuing to be adopted
policymakers have a pretty critical
more widely, Beardsley states that the
role, both in terms of understanding
information on this topic explored in
risk management and understanding
E X E C U T I V E P R O FILE :
Tod Beardsley Title: Director of Research
Location: Austin, Texas
Industry: IT & Network Security I’m an individual contributor on software engineering projects, a technical security researcher, a no good dirty hacker, an open source maintainer and advocate, a conference organizer, a podcaster, blogger, and all-around new media gadfly, and an often-quoted primary spokesperson — often several to all of these roles at the same time! w w w.ra pid 7. com
09
RAPID7 – NICER
like how the internet itself works.” Citing their ability to find effective solutions to problems which are still economically viable, Beardsley also believes that policymakers ability to bring pressing issues to the forefront of people’s attention makes them an invaluable ally. “They can sound the national security alarm and people will listen,” he adds. NICER explores in great detail two protocols still in widespread use: Telnet and SMB. Under analysis, 10
Rapid7 found that both were outdated and neither was particularly suited to modern internet usage; in fact, Telnet was originally specced out as a temporary solution in the 1960s. “It is obvious from this RFC (request for commands) that [Telnet] was intended to be a temporary solution and that ‘more sophisticated subsystems will be developed in time’, but to borrow from Milton Friedman, ‘there
attackers did not exist, thus rendering
is nothing quite so permanent as a
its practical use limited. Alternatives
temporary solution’,” says the report.
such as SSH (Secure Shell) make for
This is not to say that old systems or
a compelling alternative, albeit with its
protocols cannot have value. However,
own drawbacks related to exposing
the antiquated nature of Telnet comes
console access to the internet. “With
from a time when active and passive
SSH, I can tell with certainty that the
SEPTEMBER 2020
11
computer I’m talking to is the one I
internet worms in history” using SMB
thought I was talking to because they
in some way, NICER advocates for
have cryptographic fingerprints that
HTTPS as an alternative. “SMB is very
are easily verified,” clarifies Beardsley.
opaque,” Beardsley summarises. “It
SMB, on the other hand, was found to
makes cryptographic guarantees that
be too complex, almost to the point of
it can’t keep. I’m not advocating for
obscurant. With “the most destructive
the end of SMB, but having it directly w w w.c o mpawny w w.ra we bsite. pid 7. com
RAPID7 – NICER
exposed to the internet is a pretty bad
great impact on the stability, safety
idea and it’s almost always accidental.”
and security of the internet as a whole.”
The conclusion of NICER provides
12
This is a sentiment that Beardsley
a mixed but ultimately encouraging
echoes: “At the moment, I feel like a cli-
takeaway, “Things aren’t great, but not
mate scientist saying global warming
disastrously bad and relatively small
is happening but everyone is respond-
changes in how we design, develop
ing, ‘But it’s fine right now’.” Indeed,
and deploy services will still have a
the problem with underlying issues
relating to internet security is how eve-
art and even society,” he continues. “I
ryday interactions with it (using social
don’t see a world where we’re licens-
media, watching videos, research, etc)
ing people to programme on the
appear unaffected, yet the potential
internet, but I would like us to reach a
for all these things to be disrupted
point where it’s normal for software
exists on a fundamental level. “Internet
developers or electrical engineers to
security is not a goal in and of itself:
learn new aspects of security in their
security enables culture, commerce,
professional development.” Rapid7’s NICER could play a crucial role in expanding global consciousness on the importance of internet security. In fact, Beardsley hopes that it is the start of an ongoing and fruitful debate. “If someone else out there has different stats or conclusions, we’re more than happy to have that conversation. NICER is not a ‘one and done’ report; this is an entry point into what will hopefully be several conversations on what we want the future of the internet to be.” Read Rapid7’s full NICER report here and watch Tod share the key takeaways in this webcast
w w w.ra pid 7. com
13
P0WERED BY
www.rapid7.com