United Kingdom

Publish and be damned - What does your online corporate profile reveal? 

KPMG Cyber Vulnerability Index 2012

With so many cyber attacks in the news recently executives are becoming increasingly concerned about their organisation’s exposure to hackers. And so they should. According to the KPMG Cyber Vulnerability report 2012, more than three quarters of the Forbes 2000 companies leak potentially dangerous data.
  • Financial Services account for 50 percent of the industry at risk with Banking the sector at highest risk
  • Technology, Media, and Telecommunications account for over 20 percent of the sectors at risk


KPMG performed research across the Forbes 2000 list of companies, with the aim of performing the same initial steps that cyber attackers and organised criminals would perform when profiling a target organisation for attack, using techniques that are often referred to as Advanced Persistent Threats, or ‘APTs’.


This publication provides a view on the common basic tactics hackers employ, highlights the industries and regions most at risk, and provides advice and guidance on how to safeguard your organisation.

 

 

Key findings of the report are summarised below:


Collecting Meta-data

 

  • 78 percent of Forbes 2000 Corporate websites leak some form of potentially useful information through document meta-data
  • According to retrieved version information from document meta-data, 71 percent of the Forbes 2000 companies may be using potentially vulnerable and out-dated versions of Microsoft and Adobe software


Harvesting Sensitive Locations and Hidden Functionality

 

Part of our research focused on the structure of the Forbes 2000 corporate websites to identify any potentially sensitive file locations or hidden functionality that may be useful to cyber attackers. While navigating the sites, we found a number of keywords that revealed interesting file locations that would stimulate further investigation by cyber attackers.

 

When serving test, upload or hidden functionality, many companies face the associated risk of cyber attackers defacing websites, or assuming control of these sites. Cyber attackers may also use this newly gained functionality to inject malware into the sites, which will infect all subsequent visitors of those sites.


Gathering Data from Popular Search Engines


As part of many popular search engine services, discussions are stored within a searchable web cache and can be queried for specific postings by users. In addition to the meta-data available, individuals often expose within these postings sensitive information about the current technologies in use by organisations.  Online discussions often reveal details on corporate projects and technologies in use by companies. They also reveal e-mail addresses of potential spear-phishing targets.

 

  • Technology and Software post far more information to online forums and newsgroups than all other sectors combined


Web Server Software Vulnerabilities


Corporate websites run on an underlying web server technology. When accessing a website the web server often reveals its software version which is typically hidden from a web browser’s view. Information leakage in these web
banner software versions can prove to be of significant value to an attacker when profiling a remote target site and server.

 

  • 16% of Forbes 2000 corporate web servers may be vulnerable to attack due to missing security patches or outdated server software


Who is most at Risk?


The Top 10 Forbes 200 companies leaking information hail from either the US or Japan. 

 

The most information leaks by sector are from Financial Services, Software, Technology, Telecoms and Banking organisations.

Contact

 Malcolm Marshall Malcolm Marshall

UK Head of Information Security
KPMG in the UK


020 7311 5456

malcolm.marshall@kpmg.co.uk

Martin Jordan 

Martin Jordan

Head of Cyber Response
KPMG in the UK


07768 467896

martin.jordan@kpmg.co.uk