rapid7 research report national exposure index 060716.pdf
Sir William Thomson (better known as Lord Kelvin), noted for his research into thermodynamics and his accomplishment of
laying down, literally, the communication foundations of the internet in the form of the first transatlantic telegraph cable has
a famous saying: “To measure is to know.” This drive “to know” is at the core of everything we do here at Rapid7, whether it’s
developing solutions to help organizations identify, understand, and manage their vulnerabilities and exposure, or providing
solutions to help them detect and deter attackers. It is also what motivates us to develop research initiatives such as Project
Sonar, our active scanning infrastructure, and Heisenberg, our distributed collection of passive honeypots. These projects
make it possible to ask questions at internet scale and mine the results for answers.
To that end, this paper takes the initial steps towards validating some key assumptions about the nature of the internet that
IT and information security professionals take for granted, using the exploratory research tools we have built out here at
The first part of the study establishes—through empirical methodology—that there is, in fact, a relationship between a
country’s economic strength and the quantity of discoverable services hosted on the internet.
The second part of the study measures e the prevalence of cleartext, unencrypted services on the Internet and their
encrypted counterparts, by country, and use this ratio to generate an overall National Exposure Index score. In addition, we
break out different protocol families, such as world wide web services, remote administration, e-mail, and others, and rank
countries on their adoption of fully encrypted and cleartext implementations of these services.
Throughout this exploration, we discuss why fully encrypted communication is important for overall internet safety, usability,
and sustainability. Today’s internet touches virtually everyone’s lives and is a critical component of economic security.
Counterintuitively, the adoption of fully encrypted protocols for core internet services has not scaled with our personal,
national, and global dependence on the internet.
This is a foundational paper, intended to educate readers about the core principles on which internet-based services operate.
Future papers from Rapid7 will build upon this work, exploring related areas of security and exposure.
National Exposure Index