The ASX 200 Attack Surface

Executive Summary

Overall, the companies listed on the ASX 200 have a respectable security posture. The attack surface of ASX 200 companies in general is on-par with their counterparts in the FTSE 350 and the Fortune 500. There is still definite room for improvement, but the overall security posture of ASX 200 companies have measurably improved since the Industry Cyber-Exposure Report (ICER) Rapid7 conducted on the ASX 200 in 2021.

• The industrial sector of the Australian economy leads all industries in their exposure of risky services to the internet.
• Australian companies which expose Nginx web servers could do better with managing version dispersion risk by keeping their Nginx installations up to date.
• Microsoft Exchange remains a popular on-premises email server, despite the recent spate of high-impact remote vulnerabilities.
• More ASX 200-listed companies have a valid DMARC configuration than ever before, which helps protect email and brand integrity among these companies.

Introduction

This report examines the attack surface of the 200 largest publicly traded companies listed on the Australian Securities Exchange, also known as the ASX 200. This report follows our 2021 Industry Cyber-Exposure Report (ICER) on the ASX 200 that considered one year’s worth of historical data from 2020 into 2021. While that report followed a defined methodology and was part of a cycle examining large public companies around the world (e.g. FTSE 350, Fortune 500), this report is a snapshot in time taken at the beginning of October 2022.

The report surveys a number of factors that provide a picture of what an “average” company in the ASX 200 looks like from the internet. These factors include:

• Internet-facing attack surface: Overall port counts and high-risk port counts provide insight into how accessible corporate networks are to outsiders.
• Web server type and version complexity: Web servers by necessity are internet-facing, so we do not typically consider them part of the attack surface in the same way as other services. However, the variety of software types and differing versions between servers offers a proxy for how an organization manages complexity and patching generally.
• Microsoft Exchange patching: Given the spate of high profile Microsoft Exchange vulnerabilities and the popularity of Microsoft Exchange as an enterprise email server, this serves as a leading indicator of overall vulnerability management.
• Email and Domain safety: The use of Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Domain Name Service Security Extensions.