Cybersecurity experts often talk about the level of exposure, or the amount of "attack surface," when describing security vulnerabilities and cyber risks. Both factors affect the likelihood that an individual or organization will fall victim to either widespread internet threats, such as WannaCry, or to more targeted threats, such as government surveillance.
It's difficult to determine the net level of exposure of individuals and organizations globally, and until recently, few tried. That's why cybersecurity company Rapid7 put its Project Sonar – essentially, a tool for scanning the entire internet – to work gathering data for last year's first National Exposure Index (NEI).
The company recently published its second edition, the 2017 NEI, which investigates "risk of passive eavesdropping and active attack on the internet," providing "measurable, quantitative answer to the nature of internet exposure and where, physically, those exposed services are located."
NEI researchers define "exposure" as either natively unencrypted services on the public internet (think File Transfer Protocol vs. Secure File Transfer Protocol) or services available via the public internet that are unsuitable for widespread accessibility (think Microsoft's Server Message Block [SMB]). If one or both conditions are found to be true for Internet Protocol (IP)-accessible servers, then it counts against the country and increases its overall exposure rating.
According to the 2017 NEI, the countries of Zimbabwe, Hong Kong Special Administrative Region, Samoa, Republic of the Congo, Tajikistan, Romania, Ireland, Lithuania, Australia and Estonia top the list. China and Russia fall into the top 50 most exposed, but given its large Internet Protocol version 4 (IPv4) address space, the U.S. ranks relatively low in total exposure, researchers reported.
This year's study found that the U.S. has both the largest allocation of IPv4 addresses in the world (1.6 billion) and the largest population of in-use IPv4 servers (37 million). However, individuals and organizations are limiting exposure of unsuitable services to the public internet. "Of our 30 surveyed ports," the researchers wrote, "only the familiar HTTP TCP port 80 accounts for more than 1 percent of the total exposed services across the allocated US IPv4 space."
The U.S. also ranked well in the use of encryption, with an encrypted web ratio of 44 percent, an encrypted client mail ratio of 46 percent and an encrypted shell ratio of "an impressive" 81 percent, the researchers noted.
The 2017 NEI's other key findings included over 1 million endpoints globally that currently expose Microsoft file-sharing services (SMB, TCP port 445). Of those 1 million, 800,000 were confirmed to be Windows systems, "spanning virtually the entire product and release version lineage of the company," the researchers wrote. SMB exposure is significant because the WannaCry cyberattack exploited a vulnerability in the SMB protocol, which has long concerned security researchers.
The researchers uncovered another key finding related to the protocol Telnet (port 23). In 2016, Project Sonar returned 14.8 million nodes with Telnet exposed. In 2017, that number decreased to just under 10 million, representing a 33 percent year-over-year drop. The researchers attributed the decline to two factors: The first is internet service providers actions, such as closing port 23 in response to the Mirai botnet, and the second is Mirai, BrickerBot and other botnets knocking nodes offline.
The most improved country award probably goes to Belgium, which topped the 2016 rankings. Over the past year, the country viewed as the seat of the European Union reduced exposed services by 250,000, which removed it from the top 50.
"These key findings illustrate two overall themes," the researchers wrote. "First, the phenomenon of widespread internet exposure makes for an environment attractive to criminals and other malicious actors, as well as accidental data breaches. Second, as was the case in Belgium, national technical leadership can absolutely take steps to reduce their regional internet exposure, thereby strengthening their networks and protecting users."
For the 2017 study, the researchers employed an improved algorithm and enhanced scanning and geolocation methodologies.
"Now in its second year, the National Exposure Index (and the accompanying datasets) continues to serve as an important study into the nature of the internet. We now have access to year-over-year data which can help us develop theories about the trends at work in our shared online world," the researchers noted.
A highlight of the 2017 report is the researcher's use of "quasirandom beeswarm" plots to visually present findings. The full report, with quasirandom beeswarm plots, is available online.