Rapid7 NICER - starting a conversation on internet security
There has never been a more opportune moment than now to discuss internet security: the COVID-19 pandemic has forced many companies and individuals to reconsider their basic operations, reimagine manual processes and also vindicated the effectiveness of remote working. A consequence of the modern world’s reliance on digital technology is the near-constant vigilance required to ensure its integrity; far from being a static issue which can be addressed satisfactorily with yesterday’s tech, a spirit of innovation and honest critical evaluation is required to understand and remedy the underlying problems which threaten to disrupt us. To spur on a debate and engage developers, regulatory authorities and the wider community, security specialist Rapid7 has released NICER 2020 (National / Industry / Cloud Exposure Report), the most comprehensive census of the modern internet risk landscape ever completed.
Speaking to us on Zoom with a background representing a visualised ‘map’ of the internet, Tod Beardsley, Director of Research at Rapid7, emphasises that NICER is an attempt to spur the world into affirmative action, “We're hoping that this report helps people make informed decisions about what they should be putting on the internet, what they shouldn't and what their local ‘neighbourhoods’ might look like. NICER is being released for free; Rapid7 wants everybody to pick this up and peruse it.” A comprehensive document split into 16 sections and three appendices, NICER is the result of four years’ worth of research, although it starts with a relatively modern focus: the effect of the global pandemic on internet security, which, Beardsley states, was surprising. “We were planning things out in January and February and then the world came crashing down. I thought, ‘Hang on, let's redo all our scans; surely has fundamentally changed’. However, we found no effect at all.” In fact, the results showed a reduction in dangerous services, most notably Windows SMB (service message block) network protocols.
However, this unexpected good news shouldn’t lull people into a false sense of security - the “myth of the silver city”, to quote the report - Beardsley is adamant that vigilance and proactivity are the keys to success. “The problem [with the perception that progress is being made] is that we're not going in that direction fast enough,” which is re-emphasised in NICER: “...the security of the internet still trails the desire to just get things working, and working quickly.” This sentiment roughly encapsulates the challenge faced by those endeavouring to bolster internet security: to construct an efficient operating model which doesn’t sacrifice integrity, with necessary updates and patches implemented in a timely and consistent manner. The report can help facilitate the achievement of this goal by providing hard data that developers can reference as they seek out solutions.
In terms of cyberattacks themselves, Beardsley states that they continue to include conventional ‘phishing’ scams as well as more advanced methods, such as “exploiting known vulnerabilities and old software that's on the edge.” The report includes a summary of the ‘most exposed’ countries by total attack surface, exposure to selected services, vulnerability rate and other metrics. While countries such as the US and China might bring no surprises for their high-risk factor, NICER also includes some surprises such as Canada (9) ranking higher than Iran (10), despite the former having a population density almost 50% lower than the latter. This is a perfect example of the report’s ability to correct potentially damaging preconceptions. “Iran is very technically savvy but it is more reliant on client-oriented internet (mobile phone networks, etc), whereas Canada has a lot more in the way of wired infrastructure and servers.”
NICER’s information about entire countries enables each to identify its own ‘neighbourhood’ and measure its progress relative to others, but what about specific industries? The report also includes a graph measuring each sector’s vulnerable assets, revealing that highly essential services - telecoms, financial services, retail and pharma - are amongst the most exposed, including some of the largest organisations on the FTSE 100, Fortune 500 and Nikkei Index. “These companies have the resources to be great at security, but, ultimately, it's not their job,” says Beardsley. “And a lot of these companies are over 10 years old and haven’t gotten around to upgrading, particularly if everything still appears to be working fine.” The blight of legacy network protocols is also problematic, with some like FTP (file transfer protocol) dating back to the 1970s and possessing no inherent cryptographic assurances. Maintaining patch and version management, therefore, is essential. With cloud also continuing to be adopted more widely, Beardsley states that the information on this topic explored in NICER will be developed further into a forthcoming report at the end of 2020.
Policymakers, too, have a crucial role to play - as stated in NICER: “The pen Is mightier than the firewall.” Rapid7’s report aims to supply regulators and legislators of all kinds with the necessary information needed to focus their attentions. “Legislators and even cyber insurers want to look at this stuff to understand what's acceptable and what's not. I think policymakers have a pretty critical role, both in terms of understanding risk management and understanding like how the internet itself works.” Citing their ability to find effective solutions to problems which are still economically viable, Beardsley also believes that policymakers ability to bring pressing issues to the forefront of people’s attention makes them an invaluable ally. “They can sound the national security alarm and people will listen,” he adds.
NICER explores in great detail two protocols still in widespread use: Telnet and SMB. Under analysis, Rapid7 found that both were outdated and neither was particularly suited to modern internet usage; in fact, Telnet was originally specced out as a temporary solution in the 1960s. “It is obvious from this RFC (request for commands) that [Telnet] was intended to be a temporary solution and that ‘more sophisticated subsystems will be developed in time’, but to borrow from Milton Friedman, ‘there is nothing quite so permanent as a temporary solution’,” says the report. This is not to say that old systems or protocols cannot have value. However, the antiquated nature of Telnet comes from a time when active and passive attackers did not exist, thus rendering its practical use limited. Alternatives such as SSH (Secure Shell) make for a compelling alternative, albeit with its own drawbacks related to exposing console access to the internet. “With SSH, I can tell with certainty that the computer I'm talking to is the one I thought I was talking to because they have cryptographic fingerprints that are easily verified,” clarifies Beardsley. SMB, on the other hand, was found to be too complex, almost to the point of obscurant. With “the most destructive internet worms in history” using SMB in some way, NICER advocates for HTTPS as an alternative. “SMB is very opaque,” Beardsley summarises. “It makes cryptographic guarantees that it can't keep. I'm not advocating for the end of SMB, but having it directly exposed to the internet is a pretty bad idea and it’s almost always accidental.”
The conclusion of NICER provides a mixed but ultimately encouraging takeaway, “Things aren't great, but not disastrously bad and relatively small changes in how we design, develop and deploy services will still have a great impact on the stability, safety and security of the internet as a whole.” This is a sentiment that Beardsley echoes: “At the moment, I feel like a climate scientist saying global warming is happening but everyone is responding, ‘But it's fine right now’.” Indeed, the problem with underlying issues relating to internet security is how everyday interactions with it (using social media, watching videos, research, etc) appear unaffected, yet the potential for all these things to be disrupted exists on a fundamental level. “Internet security is not a goal in and of itself: security enables culture, commerce, art and even society,” he continues. “I don't see a world where we're licensing people to programme on the internet, but I would like us to reach a point where it's normal for software developers or electrical engineers to learn new aspects of security in their professional development.” Rapid7’s NICER could play a crucial role in expanding global consciousness on the importance of internet security. In fact, Beardsley hopes that it is the start of an ongoing and fruitful debate. “If someone else out there has different stats or conclusions, we're more than happy to have that conversation. NICER is not a ‘one and done’ report; this is an entry point into what will hopefully be several conversations on what we want the future of the internet to be.”