In the face of growing cybersecurity threats, it is increasingly important to measure the cost and concentration of “exposure,” which we define here as weaknesses in the public-facing configuration of internet-connected services. Having an accurate view of the resilience of organisations and industries against cyber-attacks can facilitate more accurate cost models, help target efforts to reduce exposure to the industries that need it most, and enhance cooperative efforts between government and the private sector to better protect users and companies alike. Measurement of industry-level exposure can also inform industry-specific working groups that share cybersecurity information and threat intelligence, such as Information Sharing and Analysis Centres.
To understand current levels of exposure and resiliency in Australasia,1 Rapid7 Labs measured the internet-facing security profiles of the S&P/ASX 2002 (ASX200) during Q4 2018 for:
- Overall attack surface (the number of exposed servers/devices);
- Presence of dangerous or insecure services;
- Phishing defence posture;
- Weak public service and metadata configurations; and
- Joint third-party website dependency risks.