- Financial Services account for 50 percent of the industry at risk with Banking the sector at highest risk
- Technology, Media, and Telecommunications account for over 20 percent of the sectors at risk
KPMG performed research across the Forbes 2000 list of companies, with the aim of performing the same initial steps that cyber attackers and organised criminals would perform when profiling a target organisation for attack, using techniques that are often referred to as Advanced Persistent Threats, or ‘APTs’.
This publication provides a view on the common basic tactics hackers employ, highlights the industries and regions most at risk, and provides advice and guidance on how to safeguard your organisation.
- 78 percent of Forbes 2000 Corporate websites leak some form of potentially useful information through document meta-data
- According to retrieved version information from document meta-data, 71 percent of the Forbes 2000 companies may be using potentially vulnerable and out-dated versions of Microsoft and Adobe software
Harvesting Sensitive Locations and Hidden Functionality
Part of our research focused on the structure of the Forbes 2000 corporate websites to identify any potentially sensitive file locations or hidden functionality that may be useful to cyber attackers. While navigating the sites, we found a number of keywords that revealed interesting file locations that would stimulate further investigation by cyber attackers.
When serving test, upload or hidden functionality, many companies face the associated risk of cyber attackers defacing websites, or assuming control of these sites. Cyber attackers may also use this newly gained functionality to inject malware into the sites, which will infect all subsequent visitors of those sites.
Gathering Data from Popular Search Engines
As part of many popular search engine services, discussions are stored within a searchable web cache and can be queried for specific postings by users. In addition to the meta-data available, individuals often expose within these postings sensitive information about the current technologies in use by organisations. Online discussions often reveal details on corporate projects and technologies in use by companies. They also reveal e-mail addresses of potential spear-phishing targets.
- Technology and Software post far more information to online forums and newsgroups than all other sectors combined
Web Server Software Vulnerabilities
Corporate websites run on an underlying web server technology. When accessing a website the web server often reveals its software version which is typically hidden from a web browser’s view. Information leakage in these web
banner software versions can prove to be of significant value to an attacker when profiling a remote target site and server.
- 16% of Forbes 2000 corporate web servers may be vulnerable to attack due to missing security patches or outdated server software
Who is most at Risk?
The Top 10 Forbes 200 companies leaking information hail from either the US or Japan.
The most information leaks by sector are from Financial Services, Software, Technology, Telecoms and Banking organisations.