Average Fortune 500 Company Has 476 Critical Vulnerabilities

In a recent analysis of the public and Internet-facing assets of 471 of the Fortune 500 companies, Cyberpion uncovered more than 148,000 critical vulnerabilities (exploits that are publicly available and actively targeted), with an average of 476 per company.

Fully 98 percent of Fortune 500 companies have critically vulnerable internal assets, 95 percent have expired certificates, and 85 percent have exposed login pages accessible over HTTP. Sixty-two percent have critical risky connections – the average company has eight, and the most vulnerable has 350.

The report follows the October release by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) of a Binding Operational Directive focused on, in the agency’s words, “two core activities essential to improving operational visibility for a successful cybersecurity program: asset discovery and vulnerability enumeration.”

“Our findings show that Fortune 500 organizations should follow CISA’s lead,” Cyberpion CEO and co-founder Nethanel Gelernter said in a statement. “They are recognizing the importance of comprehensive attack surface visibility and risk exposure.”

“With the adoption of new technologies, distributed employees and customers, and ever-growing engagement of third-party partners, exposed assets are often unknown to and unmanaged by IT and security teams,” Gelernter added. “As CISA makes clear, this presents an unacceptable level of risk.”

Also read:

• Top Vulnerability Management Tools
• Top IT Asset Management (ITAM) Tools for Security

DoD Contractors Lacking Security Too

Issues like these reach far beyond the Fortune 500. A separate CyberSheath survey of 300 U.S. based Department of Defense (DoD) contractors recently found that 87 percent fail to meet basic Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

A Supplier Performance Risk System (SPRS) score of 110 is required for full compliance, but 87 percent of contractors don’t even reach a score of 70.

And their shortcomings aren’t exactly subtle. Approximately 80 percent of the Defense Industrial Base (DIB) don’t use a vulnerability management solution, 79 percent don’t leverage a comprehensive multi-factor authentication (MFA) system, 73 percent don’t have an endpoint detection and response (EDR) solution, and 70 percent haven’t deployed a security information and event management (SIEM).

What’s more, the report finds that 82 percent of contractors find it “moderately to extremely difficult to understand the governmental regulations on cybersecurity.”

‘Clear and Present Danger’

“The report’s findings show a clear and present danger to our national security,” CyberSheath CEO Eric Noonan said in a statement. “We often hear about the dangers of supply chains that are susceptible to cyberattacks. The DIB is the Pentagon’s supply chain, and we see how woefully unprepared contractors are despite being in threat actors’ crosshairs.”

Read next: Is the Answer to Vulnerabilities Patch Management as a Service?