SlideShare una empresa de Scribd logo

UK Cyber Vulnerability of FTSE350

Martin Jordan
Martin Jordan

KPMG performed research on the FTSE 350 constituent companies to analyze their cybersecurity vulnerabilities from publicly available information on corporate websites and documents. They found that over 53% of corporate websites were supported by outdated and vulnerable web server software. On average, they identified 3 potential vulnerabilities per company. They also found companies leaked sensitive internal information through metadata in documents, including an average of 41 usernames and 44 email addresses per company. Certain sectors like utilities leaked the most internal usernames. The report concludes that companies should minimize publishing unnecessary information and better protect sensitive employee accounts and roles to reduce cyber risks.

Datos y análisis
1 de 12
Descargar para leer sin conexión
RISK CONSULTING An ethical investigation into cyber security across the FTSE350 UK Cyber Vulnerability Index 2013 What does your online corporate profile reveal?
1 | Cyber Vulnerability Index of the FTSE 350 have out of date and potentially vulnerable web servers. more than
Cyber Vulnerability Index | 2 KPMG performed research across the FTSE 350 constituent companies (over January to June 2013), with the aim of performing the same initial steps that hackers and organised criminals would perform when profiling a target organisation for attack or infiltration.This included some of the techniques used by threat actors often referred to as Advanced PersistentThreats, or ‘APTs’. Our research focused on finding publicly available technical information about the FTSE350 group’s respective corporate IT.We mapped the structure of relevant corporate websites to identify potentially sensitive file locations or hidden functionality useful to cyber attackers.We then reviewed the content and meta-data of publicly accessible documents.While navigating the sites, we found interesting internal file locations, email addresses and technical data that would stimulate further investigation by hackers. In addition to websites, we also reviewed the content published on selected public sharing websites. All profiling information was sourced from the public documents located on the FTSE350 corporate websites, document meta-data, search engines and public internet forums, and no hacking or illegal actions were performed. How we put together our Index. The perpetrators of modern cyber attacks – whether these are social activists, criminals, competitors, or national governments – make extensive use of publicly available company information when planning their activity.Technical IT data, such as the versions of software used, usernames and email addresses, and technical details about a firm’s web-facing systems is of particular interest to perpetrators. Such data is almost never relevant to the firm’s customers or website visitors, but may end up online due to negligence, deficient document publishing procedures, or as a result of earlier security breaches. Even so, it is useful to hackers as it helps profile the target firm’s IT and employees, and may reveal weaknesses in the firm’s security defences. Due to the non-intrusive nature of the discovery process, it leaves minimal to no footprint and is therefore difficult to detect or protect against.The best course of action may still be minimising the data unnecessarily published in the first place. How cyber criminals use organisations’ data against them.
3 | Cyber Vulnerability Index 1 excludes Beverages, Media,Travel & Leisure and Equity Invest Instruments Corporate websites are supported by a number of web technologies.When a website is accessed, the web server often reveals its software version which is typically hidden from a web browser’s view.The disclosure of these web banner software versions can prove to be of significant value to an attacker when profiling a remote target site and server. Out of the 53 percent vulnerable to attack due to missing security patches or outdated server software, the sectors with the highest number of web vulnerabilities1 , were; - Support Services - Software and Computer Services - General Retailers - Mining - Oil and Gas producers - Pharmaceuticals and Biotechnology - Aerospace and Defence - Banks - Telecommunications - General Industrial Across the whole FTSE 350 group of companies, we identified an average of three potential web server vulnerabilities per company, with a total of 1121 vulnerabilities recorded.The highest recorded instance of web server vulnerabilities attributed to one company was 32. We also noted the large number of development and preproduction web servers during our analysis. In one particular instance we discovered a home-use web server, which provides a significantly lower level of sophistication and security, was in use by a FTSE350 company. It’s no longer acceptable to patch internal servers and corporate laptops within four weeks of a patch being released. On a recent piece of client work we witnessed a patching policy of 48 hours for internal systems, covering some 2000 servers and 20,000 laptops, which shows what can be done. What we found -Vulnerable web servers We observed that over 53 percent of corporate websites were supported by out-of-date and potentially vulnerable technologies.
“Telecommunications, Aerospace and Defence, Utilities ,Financial Services, Oil Equipment and Services recorded the highest average vulnerable software” 130 Support Services 87 Software & Computer Services 23 Chemicals Nonlife Insurance 82 Travel & Leisure Mining 54 General Industrials Technology Hardware & Equipment 27 Electronic & Electrical Equipment 24 Oil & Gas Producers 50 Pharmaceuticals & Biotechnology 42 Banks 32 Media Aerospace & Defence 35 73General Retailers Telecommunications 55 Cyber Vulnerability Index | 4 PPotteenntiiaal wwwweeebb sseeerrrvvvveeerrr vvulnneraaabbiiliittyyy -- AAAVAVVVVEEEERRRRAAAAAAGGGGEEEE cccoouunnnt pperr coommmppaaannnyyy ppppeeeerr ssseeecccttttooooorrr[ PPoottenntttiaalll wwwwweeeebbbbb sssseeeeerrvvvvveeeerrr vvuulneerrraabbbilliiittyyyy ----TTTTTOOOOOTTTAAAAAAALLLLLL ccoouunt ppeeeerr ssseeeeccctttooooorrr[ Looking at the results by industry group, the highest averages for out-of-date web servers were held by: 7 FinancialServices 6 OilEquipment& Services Pharmaceuticals& Biotechnology 6 HealthCareEquipment& Services 6 5 GeneralRetailers 5 OilEquipment,Services& Distribution 5 TechnologyHardware& Equipment 4 Utilities 4 Aerospace& Defence 5 Banks 4 SupportServices 4 PersonalGoods 4 Oil& GasProducers GeneralIndustrial 7 9 Software& ComputerServices Telecommunications 7
5 | Cyber Vulnerability Index “Utilities rated worst for leaking internal user names - on average 126 per company”
Support Services 217 16792 80 78 55 54 45 45 38 36 29 26 24 19 M ining GeneralRetailers OilEquipment,Services& Distribution Pharmaceuticals& Biotechnology RealEstateInvestmentTrusts GeneralFinancial Oil& GasProducers Utilities IndustrialEngineering Software& ComputerServices Banks Aerospace& Defence LifeInsurance Telecommunications Cyber Vulnerability Index | 6 What we found - Sensitive information within meta-data Meta-data (information stored inside a document about the document itself) often constitutes an information leak as it can provide attackers with a view of corporate network users, their email addresses, the software versions they use to create documents and internal network locations where files are stored Information within document. As part of our research, we were able to obtain an average of 41 internal usernames and 44 email addresses per company.These may be used to facilitate targeted phishing email scams. Looking at the results by industry group, most internal email address were disclosed by companies in the Aerospace and Defence (212 emails per company),Tobacco (100), Oil Equipment, Services and Distribution (94) and Pharmaceuticals and Biotechnology (93). What we found - Internal network locations Internal network locations point to internal server names and assist hackers in gaining an insight into your internet structure2 . We obtained an average of 41 internal usernames and 44 email addresses per company. 2 An internal file name may look something like compxlonserv1MandAsecretfile1. 3 Excludes Equity investment instruments, Media, Household Goods. TToottaal rreeccoooorrrdddddeeeeddddd innttterrnnnaalll fifififilleeee lloooooccccaaaatttttiiooonnss ppeer sseeecctttoooorr[ We managed to extract an average of five sensitive internal file locations per company, with the highest recorded instance of 139 internal file locations in one company. The sectors leaking the most internal network locations3 were:
7 | Cyber Vulnerability Index What we found - Hacking forums Hackers will often share information on potential or already compromised companies as posts on underground forums, using digital whiteboard technology to quickly paste information.These postings often reveal email addresses of individuals to be targeted in ‘spear-phishing4 ’ attacks, passwords of users on internal and external systems, as well as details internet facing firewalls andVPN (Virtual Private Network) hosts. 4 An e-mail spoofing fraud attempt that targets a specific organisation, seeking “unauthorised access to confidential data. Source: http://searchsecurity.techtarget.com/definition/spear-phishing 5 Numbers based on six month collection period (over January to June 2013). Excludes household goods, travel and leisure Companies within the following sectors are discussed the most in these forums5 : We found that on average a FTSE 350 company will have 12 postings on these forums relating to sensitive corporate information.The highest recorded instance of posts was 748, related to companies in the General Financial sector.The second and third highest recorded entry related to a company in theTechnology Hardware and Equipment sector, with 603 and 346 posts respectively. - Banking - General Financial - General Retailers - Oil and Gas Producers - Pharmaceuticals and Biotechnology - Software and Computer Services - Support Services - Technology Hardware and Equipment - Telecommunications - Tobacco “Technology Hardware and Equipment had the greatest amount of posts on hacking forums with an average of 163 per company” 16 M ining 18 18 18 20 21 22 OilOilEquipment& Services 23 SupportServices 23 IndustrialEngineering 25 Software& ComputerServices 26 Telecommunications 26 GeneralIndustrials 26 Aerospace& Defence 27 Banks Utilities 30 LifeInsurance Oil& GasProducers GeneralFinancial TechnologyHardware& Equipment Pharmaceuticals& Biotechnology KKPPPMMGGGG ‘HHHiighhhTTThhhhrrreeeeaaattt CCCCCllluuuuuubbbbbb*** ’’’ [* Sectors most likely to be targeted. Sum of following averages: - Internal file locations - Vulnerable Software - Vulnerable Web Servers
Cyber Vulnerability Index | 8 The spotlight is on theAerospace and Defence sector Aerospace and Defence stand out as a high risk sector. Using an email designed to dupe the unsuspecting corporate user, hackers will embed a piece of malware, or a link to a malicious external site.When the user clicks on the link a piece of malware will be delivered to the user’s computer. From this point a user’s machine will be controlled by a third party and data extracted from the corporate network.The hackers will have the same access to everything as the user. In June 2013, the FBI warned of an increase in criminals using spear-phishing attacks to target multiple industry sectors. (source - http://www.fbi.gov/scams-safety/e-scams) Did you know? Used by criminals and foreign intelligence services alike, phishing is the targeting mechanism of choice when penetrating an organisation’s network. “Aerospace and Defence leaked the most email addresses with an average of 212 per company” Many well publicised breaches have occurred in this sector over the years. As a sector, Aerospace and Defence leaked the most email addresses with an average of 212 per company. In addition, the Aerospace and Defence sector had 1209 recorded meta-data email leaks which was the highest recorded across all sectors.The sector also had the highest number of potentially vulnerable software with a total of 34. Vulnerablesoftware Hackingforums Internalfilelocations Users Emails 212 53 16 8 6 Average count: Vulnerablewebservers 4
9 | Cyber Vulnerability Index Focus on the future…
Cyber Vulnerability Index | 10 …Companies should look too miniimisse the amount of meta- data that can be associated back tto ttheir company. Plenty of tools exist to strip this data from ddocuments before they are published. People in sennsitivee roles that are likely to be the target of phishing or simmilar cybeer attacks should have little online presence and their emmails should be filtered. Such roles include IT administratoors,, heads of research, financial directors and otherr execcutivves with control over vital corporate information oor nettworks. Finally, and critically, CEOs and non-executive directorss shhould scrutinise and challenge what they are beinng told byy their teams about cyber defences, questioning how rrobusst thheir defences are and have they been actively tested.Thhis reqquirres the people at the very top of their organisation to hhave in-ddepth understanding of both the threats and the couuntermmeaasures.
Contact us to find out more Malcolm Marshall Partner T: +44 (0)20 7311 5456 E: malcolm.marshall@kpmg.co.uk Stephen Bonner Partner T: +44 (0)20 7694 1644 M: stephen.bonner@kpmg.co.uk Charles Hosner Partner T: +44 (0)7500 809 597 M: charles.hosner@kpmg.co.uk Martin Jordan Head of Cyber Response T: +44 (0)776 846 7896 E: martin.jordan@kpmg.co.uk The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. RR Donnelley | RRD-285392 | July 2013 |www.kpmg.co.uk

Recomendados

KPMG Publish and Be Damned Cyber Vulnerability Index 2012
KPMG Publish and Be Damned Cyber Vulnerability Index 2012KPMG Publish and Be Damned Cyber Vulnerability Index 2012
KPMG Publish and Be Damned Cyber Vulnerability Index 2012Charmaine Servado
 
Topsec email security 2016
Topsec email security 2016Topsec email security 2016
Topsec email security 2016Nathan CAVRIL
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
INFOGRAPHIC: The Evolution of Data Privacy
INFOGRAPHIC: The Evolution of Data PrivacyINFOGRAPHIC: The Evolution of Data Privacy
INFOGRAPHIC: The Evolution of Data PrivacySymantec
 
Cyber Risks & Liabilities - Sept/Oct 2017
Cyber Risks & Liabilities - Sept/Oct 2017Cyber Risks & Liabilities - Sept/Oct 2017
Cyber Risks & Liabilities - Sept/Oct 2017Gary Chambers
 
Aon Cyber Newsletter v10
Aon Cyber Newsletter v10Aon Cyber Newsletter v10
Aon Cyber Newsletter v10Graeme Cross
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowTechSoup
 
Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Entersoft Security
 

Recomendados

KPMG Publish and Be Damned Cyber Vulnerability Index 2012
KPMG Publish and Be Damned Cyber Vulnerability Index 2012KPMG Publish and Be Damned Cyber Vulnerability Index 2012
KPMG Publish and Be Damned Cyber Vulnerability Index 2012Charmaine Servado
 
Topsec email security 2016
Topsec email security 2016Topsec email security 2016
Topsec email security 2016Nathan CAVRIL
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
INFOGRAPHIC: The Evolution of Data Privacy
INFOGRAPHIC: The Evolution of Data PrivacyINFOGRAPHIC: The Evolution of Data Privacy
INFOGRAPHIC: The Evolution of Data PrivacySymantec
 
Cyber Risks & Liabilities - Sept/Oct 2017
Cyber Risks & Liabilities - Sept/Oct 2017Cyber Risks & Liabilities - Sept/Oct 2017
Cyber Risks & Liabilities - Sept/Oct 2017Gary Chambers
 
Aon Cyber Newsletter v10
Aon Cyber Newsletter v10Aon Cyber Newsletter v10
Aon Cyber Newsletter v10Graeme Cross
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowTechSoup
 
Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Entersoft Security
 
Cyber Claims: GDPR and business email compromise drive greater frequencies
Cyber Claims: GDPR and business email compromise drive greater frequenciesCyber Claims: GDPR and business email compromise drive greater frequencies
Cyber Claims: GDPR and business email compromise drive greater frequenciesΔρ. Γιώργος K. Κασάπης
 
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcMert Akın
 
Driving Payments Security and Efficiency During COVID 19
Driving Payments Security and Efficiency During COVID 19 Driving Payments Security and Efficiency During COVID 19
Driving Payments Security and Efficiency During COVID 19 Kyriba Corporation
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Latin america cyber security market,symantec market share internet security,m...
Latin america cyber security market,symantec market share internet security,m...Latin america cyber security market,symantec market share internet security,m...
Latin america cyber security market,symantec market share internet security,m...Ashish Chauhan
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh WebinarArrow ECS UK
 
Cyber risks and liabilities newsletter jan feb 2017
Cyber risks and liabilities newsletter jan feb 2017Cyber risks and liabilities newsletter jan feb 2017
Cyber risks and liabilities newsletter jan feb 2017Kieren Windsor
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss PreventionSeqrite
 
cybersecurity-250
cybersecurity-250cybersecurity-250
cybersecurity-250Chris Crowe
 
The ever increasing threat of cyber crime
The ever increasing threat of cyber crimeThe ever increasing threat of cyber crime
The ever increasing threat of cyber crimeNathan Desfontaines
 
Webinar: Securing Mobile Banking Apps
Webinar: Securing Mobile Banking AppsWebinar: Securing Mobile Banking Apps
Webinar: Securing Mobile Banking AppsWultra
 
Cybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftCybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftIntellias
 
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...Black Duck by Synopsys
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
 
Cyber risks and liabilities February 2017
Cyber risks and liabilities February 2017Cyber risks and liabilities February 2017
Cyber risks and liabilities February 2017Gary Chambers
 
Top 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail IndustryTop 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail IndustrySeqrite
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomStanford GSB Corporate Governance Research Initiative
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical HackingIRJET Journal
 
Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Renub Research
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDFBan Selvakumar
 

Más contenido relacionado

La actualidad más candente

Cyber Claims: GDPR and business email compromise drive greater frequencies
Cyber Claims: GDPR and business email compromise drive greater frequenciesCyber Claims: GDPR and business email compromise drive greater frequencies
Cyber Claims: GDPR and business email compromise drive greater frequenciesΔρ. Γιώργος K. Κασάπης
 
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcMert Akın
 
Driving Payments Security and Efficiency During COVID 19
Driving Payments Security and Efficiency During COVID 19 Driving Payments Security and Efficiency During COVID 19
Driving Payments Security and Efficiency During COVID 19 Kyriba Corporation
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Latin america cyber security market,symantec market share internet security,m...
Latin america cyber security market,symantec market share internet security,m...Latin america cyber security market,symantec market share internet security,m...
Latin america cyber security market,symantec market share internet security,m...Ashish Chauhan
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh WebinarArrow ECS UK
 
Cyber risks and liabilities newsletter jan feb 2017
Cyber risks and liabilities newsletter jan feb 2017Cyber risks and liabilities newsletter jan feb 2017
Cyber risks and liabilities newsletter jan feb 2017Kieren Windsor
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss PreventionSeqrite
 
cybersecurity-250
cybersecurity-250cybersecurity-250
cybersecurity-250Chris Crowe
 
The ever increasing threat of cyber crime
The ever increasing threat of cyber crimeThe ever increasing threat of cyber crime
The ever increasing threat of cyber crimeNathan Desfontaines
 
Webinar: Securing Mobile Banking Apps
Webinar: Securing Mobile Banking AppsWebinar: Securing Mobile Banking Apps
Webinar: Securing Mobile Banking AppsWultra
 
Cybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftCybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftIntellias
 
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...Black Duck by Synopsys
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
 
Cyber risks and liabilities February 2017
Cyber risks and liabilities February 2017Cyber risks and liabilities February 2017
Cyber risks and liabilities February 2017Gary Chambers
 
Top 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail IndustryTop 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail IndustrySeqrite
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 

La actualidad más candente (19)

Cyber Claims: GDPR and business email compromise drive greater frequencies
Cyber Claims: GDPR and business email compromise drive greater frequenciesCyber Claims: GDPR and business email compromise drive greater frequencies
Cyber Claims: GDPR and business email compromise drive greater frequencies
 
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwc
 
Driving Payments Security and Efficiency During COVID 19
Driving Payments Security and Efficiency During COVID 19 Driving Payments Security and Efficiency During COVID 19
Driving Payments Security and Efficiency During COVID 19
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
Latin america cyber security market,symantec market share internet security,m...
Latin america cyber security market,symantec market share internet security,m...Latin america cyber security market,symantec market share internet security,m...
Latin america cyber security market,symantec market share internet security,m...
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh Webinar
 
Cyber risks and liabilities newsletter jan feb 2017
Cyber risks and liabilities newsletter jan feb 2017Cyber risks and liabilities newsletter jan feb 2017
Cyber risks and liabilities newsletter jan feb 2017
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention
 
cybersecurity-250
cybersecurity-250cybersecurity-250
cybersecurity-250
 
The ever increasing threat of cyber crime
The ever increasing threat of cyber crimeThe ever increasing threat of cyber crime
The ever increasing threat of cyber crime
 
Webinar: Securing Mobile Banking Apps
Webinar: Securing Mobile Banking AppsWebinar: Securing Mobile Banking Apps
Webinar: Securing Mobile Banking Apps
 
Cybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftCybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
 
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
 
Cyber risks and liabilities February 2017
Cyber risks and liabilities February 2017Cyber risks and liabilities February 2017
Cyber risks and liabilities February 2017
 
Top 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail IndustryTop 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail Industry
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
 

Similar a UK Cyber Vulnerability of FTSE350

IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical HackingIRJET Journal
 
Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Renub Research
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
ASSIGNMENT CYBER SECURITY ppt.pptx
ASSIGNMENT CYBER SECURITY ppt.pptxASSIGNMENT CYBER SECURITY ppt.pptx
ASSIGNMENT CYBER SECURITY ppt.pptxtumainjoseph
 
ASSIGNMENT CYBER SECURITY ppt.pptx
ASSIGNMENT CYBER SECURITY ppt.pptxASSIGNMENT CYBER SECURITY ppt.pptx
ASSIGNMENT CYBER SECURITY ppt.pptxtumainjoseph
 
T CYBER SECURITY ppt.pptx
T CYBER SECURITY ppt.pptxT CYBER SECURITY ppt.pptx
T CYBER SECURITY ppt.pptxtumainjoseph
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptx
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptxCyberSecurityPPdddsdsddssdsdssaT_V3_1.pptx
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptxprtabal_25
 
Cybersecurity about Phishing and Secutity awareness
Cybersecurity about Phishing and Secutity awarenessCybersecurity about Phishing and Secutity awareness
Cybersecurity about Phishing and Secutity awarenessImran Khan
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicNetmagic Solutions Pvt. Ltd.
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Dave Darnell
 
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET Journal
 

Similar a UK Cyber Vulnerability of FTSE350 (20)

IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical Hacking
 
Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
ASSIGNMENT CYBER SECURITY ppt.pptx
ASSIGNMENT CYBER SECURITY ppt.pptxASSIGNMENT CYBER SECURITY ppt.pptx
ASSIGNMENT CYBER SECURITY ppt.pptx
 
ASSIGNMENT CYBER SECURITY ppt.pptx
ASSIGNMENT CYBER SECURITY ppt.pptxASSIGNMENT CYBER SECURITY ppt.pptx
ASSIGNMENT CYBER SECURITY ppt.pptx
 
T CYBER SECURITY ppt.pptx
T CYBER SECURITY ppt.pptxT CYBER SECURITY ppt.pptx
T CYBER SECURITY ppt.pptx
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
CYBER51-FYLER
CYBER51-FYLERCYBER51-FYLER
CYBER51-FYLER
 
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptx
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptxCyberSecurityPPdddsdsddssdsdssaT_V3_1.pptx
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptx
 
Cybersecurity about Phishing and Secutity awareness
Cybersecurity about Phishing and Secutity awarenessCybersecurity about Phishing and Secutity awareness
Cybersecurity about Phishing and Secutity awareness
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – Netmagic
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
 
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
 

Último

Easter Eggs From Star Wars and in cars 1 and 2
Easter Eggs From Star Wars and in cars 1 and 2Easter Eggs From Star Wars and in cars 1 and 2
Easter Eggs From Star Wars and in cars 1 and 217djon017
 
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)jennyeacort
 
ASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel CanterASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel Cantervoginip
 
Generative AI for Social Good at Open Data Science East 2024
Generative AI for Social Good at Open Data Science East 2024Generative AI for Social Good at Open Data Science East 2024
Generative AI for Social Good at Open Data Science East 2024Colleen Farrelly
 
While-For-loop in python used in college
While-For-loop in python used in collegeWhile-For-loop in python used in college
While-For-loop in python used in collegessuser7a7cd61
 
Biometric Authentication: The Evolution, Applications, Benefits and Challenge...
Biometric Authentication: The Evolution, Applications, Benefits and Challenge...Biometric Authentication: The Evolution, Applications, Benefits and Challenge...
Biometric Authentication: The Evolution, Applications, Benefits and Challenge...GQ Research
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]📊 Markus Baersch
 
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...limedy534
 
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPramod Kumar Srivastava
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.natarajan8993
 
Defining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data StoryDefining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data StoryJeremy Anderson
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdfHuman37
 
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样vhwb25kk
 
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024thyngster
 
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...ssuserf63bd7
 
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degreeyuu sss
 
Semantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxSemantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxMike Bennett
 
DBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfDBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfJohn Sterrett
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...Boston Institute of Analytics
 
Advanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsAdvanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsVICTOR MAESTRE RAMIREZ
 

Último (20)

Easter Eggs From Star Wars and in cars 1 and 2
Easter Eggs From Star Wars and in cars 1 and 2Easter Eggs From Star Wars and in cars 1 and 2
Easter Eggs From Star Wars and in cars 1 and 2
 
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
 
ASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel CanterASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel Canter
 
Generative AI for Social Good at Open Data Science East 2024
Generative AI for Social Good at Open Data Science East 2024Generative AI for Social Good at Open Data Science East 2024
Generative AI for Social Good at Open Data Science East 2024
 
While-For-loop in python used in college
While-For-loop in python used in collegeWhile-For-loop in python used in college
While-For-loop in python used in college
 
Biometric Authentication: The Evolution, Applications, Benefits and Challenge...
Biometric Authentication: The Evolution, Applications, Benefits and Challenge...Biometric Authentication: The Evolution, Applications, Benefits and Challenge...
Biometric Authentication: The Evolution, Applications, Benefits and Challenge...
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]
 
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
 
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.
 
Defining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data StoryDefining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data Story
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf
 
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样
 
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
 
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...
 
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
 
Semantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxSemantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptx
 
DBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfDBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdf
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
 
Advanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsAdvanced Machine Learning for Business Professionals
Advanced Machine Learning for Business Professionals
 

UK Cyber Vulnerability of FTSE350

  • 1. RISK CONSULTING An ethical investigation into cyber security across the FTSE350 UK Cyber Vulnerability Index 2013 What does your online corporate profile reveal?
  • 2. 1 | Cyber Vulnerability Index of the FTSE 350 have out of date and potentially vulnerable web servers. more than
  • 3. Cyber Vulnerability Index | 2 KPMG performed research across the FTSE 350 constituent companies (over January to June 2013), with the aim of performing the same initial steps that hackers and organised criminals would perform when profiling a target organisation for attack or infiltration.This included some of the techniques used by threat actors often referred to as Advanced PersistentThreats, or ‘APTs’. Our research focused on finding publicly available technical information about the FTSE350 group’s respective corporate IT.We mapped the structure of relevant corporate websites to identify potentially sensitive file locations or hidden functionality useful to cyber attackers.We then reviewed the content and meta-data of publicly accessible documents.While navigating the sites, we found interesting internal file locations, email addresses and technical data that would stimulate further investigation by hackers. In addition to websites, we also reviewed the content published on selected public sharing websites. All profiling information was sourced from the public documents located on the FTSE350 corporate websites, document meta-data, search engines and public internet forums, and no hacking or illegal actions were performed. How we put together our Index. The perpetrators of modern cyber attacks – whether these are social activists, criminals, competitors, or national governments – make extensive use of publicly available company information when planning their activity.Technical IT data, such as the versions of software used, usernames and email addresses, and technical details about a firm’s web-facing systems is of particular interest to perpetrators. Such data is almost never relevant to the firm’s customers or website visitors, but may end up online due to negligence, deficient document publishing procedures, or as a result of earlier security breaches. Even so, it is useful to hackers as it helps profile the target firm’s IT and employees, and may reveal weaknesses in the firm’s security defences. Due to the non-intrusive nature of the discovery process, it leaves minimal to no footprint and is therefore difficult to detect or protect against.The best course of action may still be minimising the data unnecessarily published in the first place. How cyber criminals use organisations’ data against them.
  • 4. 3 | Cyber Vulnerability Index 1 excludes Beverages, Media,Travel & Leisure and Equity Invest Instruments Corporate websites are supported by a number of web technologies.When a website is accessed, the web server often reveals its software version which is typically hidden from a web browser’s view.The disclosure of these web banner software versions can prove to be of significant value to an attacker when profiling a remote target site and server. Out of the 53 percent vulnerable to attack due to missing security patches or outdated server software, the sectors with the highest number of web vulnerabilities1 , were; - Support Services - Software and Computer Services - General Retailers - Mining - Oil and Gas producers - Pharmaceuticals and Biotechnology - Aerospace and Defence - Banks - Telecommunications - General Industrial Across the whole FTSE 350 group of companies, we identified an average of three potential web server vulnerabilities per company, with a total of 1121 vulnerabilities recorded.The highest recorded instance of web server vulnerabilities attributed to one company was 32. We also noted the large number of development and preproduction web servers during our analysis. In one particular instance we discovered a home-use web server, which provides a significantly lower level of sophistication and security, was in use by a FTSE350 company. It’s no longer acceptable to patch internal servers and corporate laptops within four weeks of a patch being released. On a recent piece of client work we witnessed a patching policy of 48 hours for internal systems, covering some 2000 servers and 20,000 laptops, which shows what can be done. What we found -Vulnerable web servers We observed that over 53 percent of corporate websites were supported by out-of-date and potentially vulnerable technologies.
  • 5. “Telecommunications, Aerospace and Defence, Utilities ,Financial Services, Oil Equipment and Services recorded the highest average vulnerable software” 130 Support Services 87 Software & Computer Services 23 Chemicals Nonlife Insurance 82 Travel & Leisure Mining 54 General Industrials Technology Hardware & Equipment 27 Electronic & Electrical Equipment 24 Oil & Gas Producers 50 Pharmaceuticals & Biotechnology 42 Banks 32 Media Aerospace & Defence 35 73General Retailers Telecommunications 55 Cyber Vulnerability Index | 4 PPotteenntiiaal wwwweeebb sseeerrrvvvveeerrr vvulnneraaabbiiliittyyy -- AAAVAVVVVEEEERRRRAAAAAAGGGGEEEE cccoouunnnt pperr coommmppaaannnyyy ppppeeeerr ssseeecccttttooooorrr[ PPoottenntttiaalll wwwwweeeebbbbb sssseeeeerrvvvvveeeerrr vvuulneerrraabbbilliiittyyyy ----TTTTTOOOOOTTTAAAAAAALLLLLL ccoouunt ppeeeerr ssseeeeccctttooooorrr[ Looking at the results by industry group, the highest averages for out-of-date web servers were held by: 7 FinancialServices 6 OilEquipment& Services Pharmaceuticals& Biotechnology 6 HealthCareEquipment& Services 6 5 GeneralRetailers 5 OilEquipment,Services& Distribution 5 TechnologyHardware& Equipment 4 Utilities 4 Aerospace& Defence 5 Banks 4 SupportServices 4 PersonalGoods 4 Oil& GasProducers GeneralIndustrial 7 9 Software& ComputerServices Telecommunications 7
  • 6. 5 | Cyber Vulnerability Index “Utilities rated worst for leaking internal user names - on average 126 per company”
  • 7. Support Services 217 16792 80 78 55 54 45 45 38 36 29 26 24 19 M ining GeneralRetailers OilEquipment,Services& Distribution Pharmaceuticals& Biotechnology RealEstateInvestmentTrusts GeneralFinancial Oil& GasProducers Utilities IndustrialEngineering Software& ComputerServices Banks Aerospace& Defence LifeInsurance Telecommunications Cyber Vulnerability Index | 6 What we found - Sensitive information within meta-data Meta-data (information stored inside a document about the document itself) often constitutes an information leak as it can provide attackers with a view of corporate network users, their email addresses, the software versions they use to create documents and internal network locations where files are stored Information within document. As part of our research, we were able to obtain an average of 41 internal usernames and 44 email addresses per company.These may be used to facilitate targeted phishing email scams. Looking at the results by industry group, most internal email address were disclosed by companies in the Aerospace and Defence (212 emails per company),Tobacco (100), Oil Equipment, Services and Distribution (94) and Pharmaceuticals and Biotechnology (93). What we found - Internal network locations Internal network locations point to internal server names and assist hackers in gaining an insight into your internet structure2 . We obtained an average of 41 internal usernames and 44 email addresses per company. 2 An internal file name may look something like compxlonserv1MandAsecretfile1. 3 Excludes Equity investment instruments, Media, Household Goods. TToottaal rreeccoooorrrdddddeeeeddddd innttterrnnnaalll fifififilleeee lloooooccccaaaatttttiiooonnss ppeer sseeecctttoooorr[ We managed to extract an average of five sensitive internal file locations per company, with the highest recorded instance of 139 internal file locations in one company. The sectors leaking the most internal network locations3 were:
  • 8. 7 | Cyber Vulnerability Index What we found - Hacking forums Hackers will often share information on potential or already compromised companies as posts on underground forums, using digital whiteboard technology to quickly paste information.These postings often reveal email addresses of individuals to be targeted in ‘spear-phishing4 ’ attacks, passwords of users on internal and external systems, as well as details internet facing firewalls andVPN (Virtual Private Network) hosts. 4 An e-mail spoofing fraud attempt that targets a specific organisation, seeking “unauthorised access to confidential data. Source: http://searchsecurity.techtarget.com/definition/spear-phishing 5 Numbers based on six month collection period (over January to June 2013). Excludes household goods, travel and leisure Companies within the following sectors are discussed the most in these forums5 : We found that on average a FTSE 350 company will have 12 postings on these forums relating to sensitive corporate information.The highest recorded instance of posts was 748, related to companies in the General Financial sector.The second and third highest recorded entry related to a company in theTechnology Hardware and Equipment sector, with 603 and 346 posts respectively. - Banking - General Financial - General Retailers - Oil and Gas Producers - Pharmaceuticals and Biotechnology - Software and Computer Services - Support Services - Technology Hardware and Equipment - Telecommunications - Tobacco “Technology Hardware and Equipment had the greatest amount of posts on hacking forums with an average of 163 per company” 16 M ining 18 18 18 20 21 22 OilOilEquipment& Services 23 SupportServices 23 IndustrialEngineering 25 Software& ComputerServices 26 Telecommunications 26 GeneralIndustrials 26 Aerospace& Defence 27 Banks Utilities 30 LifeInsurance Oil& GasProducers GeneralFinancial TechnologyHardware& Equipment Pharmaceuticals& Biotechnology KKPPPMMGGGG ‘HHHiighhhTTThhhhrrreeeeaaattt CCCCCllluuuuuubbbbbb*** ’’’ [* Sectors most likely to be targeted. Sum of following averages: - Internal file locations - Vulnerable Software - Vulnerable Web Servers
  • 9. Cyber Vulnerability Index | 8 The spotlight is on theAerospace and Defence sector Aerospace and Defence stand out as a high risk sector. Using an email designed to dupe the unsuspecting corporate user, hackers will embed a piece of malware, or a link to a malicious external site.When the user clicks on the link a piece of malware will be delivered to the user’s computer. From this point a user’s machine will be controlled by a third party and data extracted from the corporate network.The hackers will have the same access to everything as the user. In June 2013, the FBI warned of an increase in criminals using spear-phishing attacks to target multiple industry sectors. (source - http://www.fbi.gov/scams-safety/e-scams) Did you know? Used by criminals and foreign intelligence services alike, phishing is the targeting mechanism of choice when penetrating an organisation’s network. “Aerospace and Defence leaked the most email addresses with an average of 212 per company” Many well publicised breaches have occurred in this sector over the years. As a sector, Aerospace and Defence leaked the most email addresses with an average of 212 per company. In addition, the Aerospace and Defence sector had 1209 recorded meta-data email leaks which was the highest recorded across all sectors.The sector also had the highest number of potentially vulnerable software with a total of 34. Vulnerablesoftware Hackingforums Internalfilelocations Users Emails 212 53 16 8 6 Average count: Vulnerablewebservers 4
  • 10. 9 | Cyber Vulnerability Index Focus on the future…
  • 11. Cyber Vulnerability Index | 10 …Companies should look too miniimisse the amount of meta- data that can be associated back tto ttheir company. Plenty of tools exist to strip this data from ddocuments before they are published. People in sennsitivee roles that are likely to be the target of phishing or simmilar cybeer attacks should have little online presence and their emmails should be filtered. Such roles include IT administratoors,, heads of research, financial directors and otherr execcutivves with control over vital corporate information oor nettworks. Finally, and critically, CEOs and non-executive directorss shhould scrutinise and challenge what they are beinng told byy their teams about cyber defences, questioning how rrobusst thheir defences are and have they been actively tested.Thhis reqquirres the people at the very top of their organisation to hhave in-ddepth understanding of both the threats and the couuntermmeaasures.
  • 12. Contact us to find out more Malcolm Marshall Partner T: +44 (0)20 7311 5456 E: malcolm.marshall@kpmg.co.uk Stephen Bonner Partner T: +44 (0)20 7694 1644 M: stephen.bonner@kpmg.co.uk Charles Hosner Partner T: +44 (0)7500 809 597 M: charles.hosner@kpmg.co.uk Martin Jordan Head of Cyber Response T: +44 (0)776 846 7896 E: martin.jordan@kpmg.co.uk The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. RR Donnelley | RRD-285392 | July 2013 |www.kpmg.co.uk