public vulnerability research market in 2014...public keeps them out of the hands of hackers, but...

Public Vulnerability Research Market in 2014

The Evolving Threat Environment During the Internet of Things Era

November 2015

NFDF-74

NFDF-74 2

Research Team

Pamela Tufegdzic Industry Analyst

ICT – Network Security

(248) 259-2053

[email protected]

Vice President of Research

Michael Suby VP of Research

Stratecast/Frost & Sullivan

(720) 344-4860

[email protected]

Frank Dickson Research Director

ICT — Network Security

(469) 387-0256

[email protected]

Chris Kissel Industry Analyst

ICT – Network Security

(623) 910-7986

[email protected]

Research Director

Lead Analyst Contributing Analyst

mailto:[email protected]




NFDF-74 3

List of Exhibits

Section Slide Number

Executive Summary 8

Market Overview 10

• Market Overview – Research Objectives 11

• Market Overview (continued) 12

• Market Overview—Best Practices Public Vulnerability Disclosure 17

• Market Overview—The Evolving Attacker 18

• Market Overview—Terminology and Definitions 19

• Market Overview—Key Questions This Insight Answers 22

Research Methodology 23

Cyber Threat Analysis and Reporting 26

Introduction to Cyber Threat Analysis and Reporting 27

The Internet of Things 28

The Internet of Things—(continued) 29

NFDF-74 4

List of Exhibits (continued)


• SCADA 31

• Software―Java 33

• Malware 34

• Mobile Malware 37

Market Trends in Public Vulnerabilities 38

• Vulnerabilities Reported by Year 39

• Vulnerabilities Reported by Quarter 40

• Market Trends 41

• Vulnerability Disclosure 43

• Vulnerability Disclosure by Organization Type 46

• Analysis of Vulnerabilities by Severity 49

NFDF-74 5



Comparison of Targeted Applications 59

• Targeted Applications 60

• Analysis of Targeted Applications 61

• Top Targeted Types of Applications 62

• Disclosing Institutions: Web Browser Vulnerabilities 63

• Disclosing Institutions: Media Applications Vulnerabilities 64

• Disclosing Institutions: Server Vulnerabilities 65

• Disclosing Institutions: Business Applications Vulnerabilities 66

• Analysis of Targeted Applications by Type 67

• Targeted Web Browser Type 70

• Analysis of Targeted Web Browser Type 72

Vulnerability Analysis 73

• Vulnerability Definitions 74

• Vulnerabilities Reported by Flaw Type (For 2013) 76

• Vulnerabilities Reported by Flaw Type (2014) 77

NFDF-74 6



• Disclosing Institutions: Buffer Overflow Errors 78

• Disclosing Institutions: Code Injection Errors 79

• Top Impact Type 80

• Analysis of Impact Types 82

Competitive Analysis 83

• Competitive Analysis Verified Vulnerabilities 84

• Competitive Analysis Verified and Unverified Vulnerabilities 87

Status of Public Vulnerabilities 89

Conclusions 93

• Certification 95

Appendix 96

• Vulnerability Database Sources (for 2014) 97

• List of Publications Cited in This Report 98

Legal Disclaimer 99

NFDF-74 7



The Frost & Sullivan Story 100

• Value Proposition: Future of Your Company & Career 102

• Global Perspective 103

• Industry Convergence 104

• 360º Research Perspective 105

• Implementation Excellence 106

• Our Blue Ocean Strategy 107

Return to contents

NFDF-74 8

Executive Summary

NFDF-74 9

Executive Summary—Key Findings

• 728 software vulnerabilities were reported publicly by research organizations in 2014.

o In 2014, critical vulnerabilities that rated 10.0 in severity amounted to 12.4% of vulnerabilities disclosed, which was down from

the 24.5% reported in 2013.

o High-severity vulnerabilities accounted for 30.6% of disclosed vulnerabilities (down from 44.1% percent in 2013).

o Medium and low-severity vulnerabilities represented 51.5% and 3.2% of vulnerabilities disclosed, respectively in 2014.

Highlighting that better security measures with improved time-to-patch rate is helping to improve vulnerability severity ratings in

2014.

o HPE had the most verified vulnerabilities reported with 317 proving the veracity of the HPE Tipping Point contributor program.

• Hewlett-Packard Enterprise (HPE) found 150 critical and high-severity vulnerabilities (vulnerabilities are

labeled critical severity if they have a common vulnerability scoring system (CVSS) base score of 10.0 and

rated high severity with a CVSS base score of 9.9 – 7.0). All other disclosing companies accounted for 163

high-severity vulnerabilities.

• Buffer overflow errors were the most common vulnerability flaw in 2013 and remained so in 2014. HPE found

125 incidents of buffer overflow errors in 2014, followed by Verisign iDefense, which found 14 vulnerabilities

related to buffer overflow errors.

• In 2014, the top six applications with the most vulnerabilities were Microsoft Internet Explorer, Oracle Java

Runtime Environment, Microsoft Windows, Adobe Flash Player, Apple QuickTime, and Adobe Reader.

• Frost & Sullivan counted 197 vulnerabilities (or 27.1% of all vulnerabilities) directly related to Web applications.

• SCADA vulnerabilities increased from 25 in 2013 to 33 in 2014.

• Researchers are looking at more than just network-attached endpoints for vulnerabilities. Web applications and

browsers, malware, mobile malware, SCADA, and the Internet of Things are increasingly scrutinized.

• Legacy systems and software that are no longer supported are a major concern for IT departments. On April

14, 2014, Microsoft discontinued its technical support for Windows XP on most devices and all PCs. There are

an estimated 300 million PCs actively running on XP.

Source: Frost & Sullivan analysis.

NFDF-74 10

Market Overview

NFDF-74 11

Research Objectives


To acquire, record, and derive

an insightful understanding

of Public Vulnerability Research

from reliable vulnerability

vendors and research

laboratories in 2014

• To identify and promote prolific

reporters of vulnerabilities

• To highlight and emphasize the

strongest work produced by

companies engaging in public

vulnerability research reports

• To analyze the gathered

vulnerability data for trends and

common factors

Primary Objective Secondary Objectives

NFDF-74 12

Market Overview

• The following is both a study about software vulnerabilities and the companies that publicly disclose

vulnerabilities.

• A security vulnerability is any error in an IT system that can be exploited by an attacker to compromise

the confidentiality or integrity of a system or to deny legitimate user access to a system. Other industry

terms for security vulnerabilities include “software bug” and “flaw.”

• In the past, the process by which the analysis of vulnerabilities was shared with third parties was

subject to much debate, as full disclosure is the practice of making the details of security vulnerabilities

public.

o There is much debate in making vulnerabilities public because keeping vulnerabilities secret or not

public keeps them out of the hands of hackers, but this assumes that hackers can’t discover

vulnerabilities on their own. From the organization side, keeping vulnerabilities secret assumes

organizations will spend time and money fixing secret vulnerabilities . Both assumptions have

proven to be false.

o Hackers have proven to be quite adept at discovering secret vulnerabilities. Full disclosure forces

organizations to routinely patch their systems.

• Organizations tend to treat vulnerabilities less as a software problem and more as a public relations

(PR) problem. This is where full disclosure comes into play by making the PR problem more acute,

organizations are then quick to patch vulnerabilities.

o Naturally organizations receiving negative PR every time a vulnerability is made public quickly

release a patch fixing the vulnerability in order to minimize the impact of negative PR.

• Full disclosure of vulnerabilities helped shape the standardization of how vulnerabilities are tracked,

managed and stored. Source: Frost & Sullivan analysis.

NFDF-74 13


Market Overview (Continued)

• Since 1999, the MITRE Corporation is responsible for certification and accreditation of the Common

Vulnerabilities and Exposures (CVE), enabling standardization of how public vulnerabilities are tracked,

managed and stored.

• The MITRE Corporation (a not-for-profit company that operates multiple federally funded research and

development centers (FFRDCs) that provide innovative, practical solutions for some of the United

States critical challenges) operates the National Cyber Security FFRDC to enhance cyber security and

protect national information systems.

o Funding for the MITRE Corporation comes from the National Cyber Security Division of the United

States Department of Homeland Security.

• The MITRE documentation defines CVE identifiers (also called CVE numbers, CVE-IDs and CVEs) as

unique common identifiers for publicly known information-security vulnerabilities in publically released

software packages.

• In other words, the CVE is a dictionary of common names for publicly known information security

vulnerabilities. CVE’s common identifiers make it easier to share data across separate network

security databases and tools and provide a baseline for evaluating the coverage of an organization’s

security tools enabling a quick and accurate assessment of how to remediate vulnerabilities.

NFDF-74 14



• CVEs (vulnerabilities) are assigned by a CVE Numbering Authority (CNA); there are three primary

types of CVE number assignments:

o The MITRE Corporation functions as editor and primary CNA.

o Various CNAs assign CVE entries for their own products (i.e. Microsoft, HPE, Oracle, etc.).

o Red Hat (multinational software company providing open-source software products to the enterprise

community) also provides CVE numbers for open source projects that are not a CNA.

• CVEs are used by the Security Content Automation Protocol (SCAP - finds vulnerabilities and offers

methods to define those findings in order to evaluate the possible impact).

• CVEs are listed on MITRE’s system as well as the U.S. National Vulnerability Database (NVD).

• NVD is the U.S. government repository of standards based vulnerability management data for SCAP.

Utilizing SCAP this data enables automation of vulnerability management, security measurement and

compliance.

• The NVD is the CVE dictionary augmented with additional analysis, a database, and a fine-grained

search engine, which makes the NVD a superset of CVE.

• The NVD is synchronized with CVE such that any updates to any CVEs (vulnerabilities) appear

immediately on the NVD.

NFDF-74 15


• The NVD uses the Common Vulnerability Scoring System (CVSS) Version 2, which is an open standard

for assigning vulnerability impacts and is designed to convey vulnerability severity and help in

determining urgency and priority of organizations’ responses.

• The NVD provides the following severity rankings per CVE-ID based on the CVSS, the system assigns

a numeric value between 0 – 10, with higher scores representing greater severity:

o Vulnerabilities are labeled “Critical to High” severity if they have a CVSS score of 7.0 - 10.0.

o Vulnerabilities are labeled “Medium” severity if they have a CVSS score of 4.0 – 6.9.

o Vulnerabilities are labeled “Low” severity if they have a CVSS score of 0.0 – 3.9.

o Some vulnerabilities may not have enough information to assign a CVSS score leaving it as a “Not

Applicable or NA” ranking.


NFDF-74 16



• The organizations that are vulnerability disclosing institutions used within this report include:

o Core Security, Fortinet, High-Tech Bridge, HPE, IBM, Secunia, US-CERT, and Verisign

o Government reporting refers to vulnerabilities disclosed by the United States Computer Emergency

Readiness Team (US-CERT).

• The US-CERT is a government agency, but the other reporting organizations either sell security-

related services or sell security devices.

• In the last 36 months, BeyondTrust and VUPEN Security have dropped off from formal public

vulnerability reporting. Core Security and Codenomicon Labs do not have a regular cadence for

vulnerability reporting. (Codenomicon Labs is recognized for the initial discovery of the Heartbleed

virus.)

• Companies like Google and Yahoo will pay hackers upon discovery of vulnerabilities. However, the

economics are not there to support vulnerability discovery from formal bounty programs. Ethical

hackers still matter, but the goal is to demonstrate vulnerabilities in the context of a larger security

platform.

• Frost & Sullivan considers vulnerabilities that have been disclosed by public vulnerability reporting

agencies—this pool of vulnerabilities totals 728 in 2014.

o HPE had 318 verified, publicly reported vulnerabilities.

o US-CERT had 282.

o High-Tech Bridge had 54.

NFDF-74 17

Market Overview—Best Practices Public Vulnerability

Disclosing

• Companies that uncover and report the most vulnerabilities could be perceived as having the most able

team of researchers. This perception on some levels validates the efficacy of their security tools.

o On occasion, there are bounties offered to independent researchers or public vulnerability teams to

discover vulnerabilities. For individual researchers, this is how they make their money.

• IBM, HPE, High-Tech Bridge, Secunia, and FortiGuard Labs will wait until a vulnerability is vetted by the

vendor and will continue to wait until a vendor is comfortable with an advisory before going public.

• While well-intended, this practice does cause frustration to public vulnerability disclosing institutions.

Vulnerabilities are initially reported to a Product Security Incident Response Team (PSIRT) team. If the

PSIRT team is taxed with other obligations, does not internally test a vulnerability, or is particularly slow

to act on a vulnerability, the public advisory stage is delayed.

• Delays in the public advisory process could have a cascading effect. If a Linux kernel (as an example)

is used in several applications, until that kernel is fixed at the level of the source code, several

applications that are dependent on the kernel are potentially at risk.


NFDF-74 18

Market Overview—The Evolving Attacker

• Unfortunately, the job of IT security continues to be unrelenting and more difficult.

• Nation-states have conducted campaigns against other countries, manufacturing interests, nuclear

facilities, and media outlets. Also, businesses like online gaming companies will employ agencies to

create denial-of-service attacks against competitors in hopes of increasing their own attractiveness

during peak hours.

• Cyber gangs operate like gangsters in the past with their only impunity being the chance that they are

caught. The criminal element can provide services that have the veneer of decency. Formal service

level agreements (SLA) for everything are imaginable: cost to disrupt service, personal information

gathering, credit card numbers, and social network hacking.

• Basic exploit kits are available for purchase which means the technical expertise of a willing hacker is

less of a mitigating factor for bad actors to enter the field.

• Low-tech threats are increasing in volume, and high-tech threats are increasing in sophistication.


NFDF-74 19

Market Overview—Terminology and Definitions

This research study references Common Weakness Enumeration (CWE) specifications to describe

vulnerability flaw types. Definitions of the most frequently occurring vulnerabilities in 2014 are as follows:

• Buffer errors - A memory buffer is a memory slot of a specific, allocated size. Hackers can assign

too much data in the memory buffer, which will cause data to spill into other memory slots, resulting in

application crashes or malfunctions.

• Improper input validation - Improper input validation occurs when a program accepts incorrectly

formatted data as valid user input. Attackers can then input data that the program cannot handle,

causing the application to crash or act improperly.

• Resource management errors - These errors occur when a program does not limit the amount of

resources, such as memory or processing power, that it uses. Attackers can then use up all the

system’s resources to block system access by legitimate users.

• Numeric errors - Many programs must be able to conduct precise mathematical calculations. When

programs do not accurately handle numbers, such as when rounding errors or changing number

signs, the program’s accuracy will be compromised.

• Cross-site scripting (XSS) - Cross-site scripting occurs when a Web site does not validate or protect

a user’s data before passing it to another user. Attackers can use this high-speed malware on Web

pages.

• Permissions, privileges, and access - Errors relating to permissions, privileges, and access occur

when a program provides excessive access or rights to unauthorized parties.

Source: National Vulnerability Database. Common Weakness Enumeration. http://nvd.nist.gov/cwe.cfm#cwes; Frost & Sullivan.

NFDF-74 20


(continued)

• Code injection - Code injection occurs when a third-party code infiltrates a program’s legitimate code.

This type of vulnerability allows attackers to control and manipulate a system.

• SQL injection - SQL injection enables attackers to execute code and control a database in an

unauthorized manner. Vulnerabilities in Web sites or Web applications enable the attacker to inject

code into the database, which allows the user to control the system.

• Cryptographic issues - Cryptography is a set of algorithms that render data indecipherable to

unauthorized users. Authorized users are provided with the key to decrypt and read the data. These

systems may be vulnerable to attacks that bypass or obtain unauthorized access to the key.

• CSRF - Cross-site request forgeries enable attackers to act as a particular end user and perform

unauthorized actions. CSRF attacks rely on authorization and authentication data that has been saved

by a user's browser to perform actions under the user's approval.

• Authentication issues - Businesses rely on authentication systems to validate user identity in order to

grant appropriate levels of access. Vulnerabilities may exist that allow users to bypass or fool

authentication systems and gain unauthorized or excessive access privileges.


NFDF-74 21


(continued)

• The Microsoft Windows family of operating systems includes Windows ME 2000, Windows Server 2000,

Windows XP 2001, Windows Server 2003, Windows Vista 2006, Windows 7 2009, Windows 8 2012,

and Windows 10 2015.

• The Mac OS family of operating systems includes all versions of Mac OS X and Mac OS X Server. The

Linux/Unix category of operating systems includes Linux and Unix-based operating systems including

Android OS.

• Individual reporting includes security researchers who report vulnerabilities to security vendors for

disclosure. These individuals are either credited by name or remain anonymous.

• Disclosure credit applied to security vendors includes organizations who have research laboratories that

find, gather, and disclose vulnerabilities.


NFDF-74 22

Market Overview—Key Questions This Insight Answers

Where does vulnerability research fit into the overall information and network security industry?

What are the major trends in the public vulnerability research market?

What type of vulnerabilities are reported the most?

Which applications and application types were prone to vulnerabilities in 2014?

What types of vulnerability errors resulted in severe impacts?

How are companies starting to report threats in malware and mobile malware?


NFDF-74 23

Research Methodology

NFDF-74 24

Research Methodology

• Vulnerability information included in this study is determined through vendor briefings, Frost & Sullivan

in-house research, vendor publications, and publicly reported vulnerabilities.

• The United States Computer Emergency Readiness Team (US-CERT) Vulnerability Notes are a

primary source of vulnerability data in this Market Insight.

• The National Vulnerability Database (NVD) provides severity metrics and technical data. A vulnerability

must have a unique Common Vulnerabilities and Exposures (CVE) or US-CERT number assigned to

qualify for inclusion as a vulnerability in this report.

• Frost & Sullivan requires CVE numbers for report inclusion to eliminate the double reporting of

vulnerabilities. This ensures that each vulnerability report counted represents a single vulnerability.

• Validation and qualitative information is based on analyst interviews with market participants and

secondary research.

• The NVD provided Common Vulnerability Scoring System Version 2.0 (CVSS V2) scores and rankings

for each vulnerability reported. (Note: CVSS V3 is being phased in).


NFDF-74 25

Research Methodology (continued)

• CVSS is a widely accepted industry standard and is applied to most reported vulnerabilities.

• CVSS provides a base score that represents the innate characteristics of each vulnerability. This base

score does not account for temporal and environmental conditions.

• In addition to the numeric CVSS scores, this report provides a severity ranking for each vulnerability

mapping qualitative rankings to numeric CVSS scores.

• Government research, individuals, manufacturers, and security vendor vulnerability reports contributed

to this Market Insight. The credit for the vulnerability is attributed to the disclosing organization. For

example, the US-CERT may credit Rapid7 for discovering a vulnerability, but the US-CERT is given

credit as the disclosing institution.

• This report also includes original vulnerability discoveries that are reported on research vendor Web

sites. For a complete list of sources referred to in this insight, see Vulnerability Database Sources (for

2014).

• Research sections attributed to specific vendors are the result of briefings and publicly disclosed

records. Specific quotes were sent back to the vendors to confirm accuracy.

• The formal reporting focuses on the base year 2014.


Return to contents

NFDF-74 26

Cyber Threat Analysis and Reporting

NFDF-74 27

Introduction to Cyber Threat Analysis and Reporting

• The majority of this report is focused on software vulnerabilities that are publicly disclosed and given

Common Vulnerability Scoring System (CVSS) v.2 scores.

• The research paradigms are changing for the types of companies that disclose vulnerabilities with

vendors and how they share the results in a global platform.

• Increasingly, threat environments are perimeter-based. Hackers also are finding ways to glean

information from social media Web sites, and are developing new strategies to create exploits in

watering holes and in phishing attacks.

• Two developments—Heterogeneous Networking and the Internet of Things— are strengthening

communications platforms. Unfortunately, the same new networking systems that create agility for

businesses are also ways for hackers to access networking systems.

• Smartphones, tablets, and custom-made are devices that use the Internet for personal and commercial

applications. Mobile represents a new frontier for apps developers and would-be attackers alike.

• Many of the companies that Frost & Sullivan is working with in the development of this report are

producing excellent content in the context of all types of vulnerabilities.


NFDF-74 28

The Internet of Things

• The Internet of Things (IoT) refers to devices that are embedded with sensors, software, electronics,

and network connectivity that enables these devices to collect and exchange data or be controlled

remotely across an existing network infrastructure.

• In 2015, Ericsson forecasted there would be 26 billion connected devices by 2020. While Cisco in

2013, has forecasted 30 billion connected devices by 2020, which most will be machine to machine

(M2M) connections with big data analytics taking place.

• The new connected devices and systems include, but are not limited to, home and small office routers,

home and commercial automation systems, networks with thin clients, purpose-built devices, and

connected automobiles. As more physical devices become connected through the IoT, the diverse

nature of these technologies gives rise to concern regarding security.

• IoT necessitates increased bandwidth and computational power. The era of cloud services is helping to

accommodate.

• The cloud is fundamentally (but not always) a browser-based, off-premises technology. Advantages to

cloud-based services include high bandwidth connections with the workload-hosting data centers, auto-

provisioning computing, infinite storage, and mitigation of obsolescence as services and applications

take the place of equipment purchases.


NFDF-74 29

The Internet of Things (continued)

• Cloud security is a matter of open debate. Cloud computing and cloud storage vendors argue that cloud

architecture does not add any additional security concerns.

• However, much of the communications from virtual workloads emanates from OpenStack software

libraries. If there is a vulnerability discovered from OpenStack middleware, firmware, or software

kernels, the potential to exploit a large number of servers exists.

• There are concept ideas that automobiles can be used to enhance the public Wi-Fi grid. Creating a

network of vehicles that are all connected to the internet, provide free Wi-Fi to those in and around the

vehicles and also collect data about the environment they’re moving in, is an idea that encapsulates

what the IoT is trying to achieve.

• The internal electronic system in automobiles is the controller area network (CAN) bus. To manipulate

auto electronics, the person devising an exploit must have physical access.

• However, any system that is tied to cellular networks or Wi-Fi, on-board navigation systems or GPS

systems connected to the Internet as examples, is potentially vulnerable.

• The IoT continues to grow. According to HPE, IoT continues to capitalize on new opportunities in areas

such as sensor monitoring in traffic, railways, cars, the home, the local power grid, embedded medical

devices (including wearable sensors) and computing.


NFDF-74 30

The Internet of Things (continued)

• IBM X Force has identified the following points of protection and the types of security

controls that should be implemented for IoT:

o A secure operating system with trusted firmware guarantees. This includes the ability to perform

over-the network / over-the-air updates across untrusted connections.

o A unique identifier. While IPv6 is key to identifying “things” on networks, “things” also need a

subscription to a trusted identity database.

o Strong authentication and access control. When users access the data on “things” or control

them through a cloud service from the user’s mobile device, it’s crucial to ensure that the user is who

he or she claims to be.

o Data privacy protection. The data that flows to and from “things” and that may be stored on “things”

or their controlling devices can be sensitive.

o Strong application security. Vulnerabilities arise due to software bugs. Hardware manufacturers

are often not experts in software development, including Web applications that may reside on the

“thing,” or exist as a cloud portal and mobile apps, but using certified software may help alleviate

software bugs.

• The IBM model for the IoT is still a work in progress since the IoT, as a whole, is still

evolving.


NFDF-74 31

SCADA

• The Stuxnet attacks in June 2010 were game-changers against Supervisory Control and Data

Acquisition (SCADA) systems. Stuxnet is widely believed to be a series of programming language

attacks launched by US and Israeli government agencies against the Iranian nuclear facilities

development platforms. Several research firms maintain the attacks were viral―the attacks expanded

beyond Iranian facilities.

• SCADA systems were once considered both low-risk and low-gain targets, but SCADA systems sit

outside of traditional security walls.

o Attacks were low-risk in the sense that SCADA systems were attached to machinery or automation

sets and self-contained. They were low-gain in that self-contained systems did not include personal

information. Nor did SCADA systems guard financial assets or intellectual property.

o However, the Stuxnet attacks showed how nation-states can cause disruption.

• Legacy SCADA systems have always offered supervisory control with being able to take action on

remote locations through the use of various controls and mechanisms that then collect data to retrieve

important information from remote devices.

• In the current generation, most SCADA systems have adopted the Internet of Things technology. The

use of open network protocols such as TLS, provides a more readily comprehensible and manageable

security boundary than the diverse mix of proprietary network protocols typical of many decentralized

SCADA systems. However, the linking of SCADA and IP systems creates more vulnerabilities.


NFDF-74 32

• Real-time analytics and use of virtualized computing, cloud, and non-cloud environments

enable SCADA systems linked with the IoT technology to implement more complex control

algorithms than are feasible to implement on traditional programmable logic controllers.

• The move from legacy SCADA systems to more standardized and automated solutions with the

increased number of connections between SCADA systems, office networks, and the Internet

has made them more vulnerable to cyber attacks. Industrial control vendors suggest

approaching SCADA security like information security with a defense-in-depth strategy that

leverages common IT practices.

• Part of the problem with public vulnerability disclosure in the SCADA space, is that PSIRTs for

SCADA networks do not have the same degree of interaction with disclosing laboratories.

SCADA PSIRTs are unfamiliar with the cycle of acknowledging vulnerabilities, remediation,

patching, and then public disclosure.

• Frost & Sullivan’s research indicates that SCADA vulnerabilities increased from 25 in 2013 to

33 in 2014.

SCADA (continued)

NFDF-74 33

Software―Java

• Java is the most commonly used computer programming language with use in all types of applications:

o Java is run on 97% enterprise desktops.

o In the US, Java is on 89% of all PCs.

o Three billion mobile phones use Java environments.

o Currently, there are nine million Java developers worldwide.

• Cisco reported Java exploits have decreased by 34%, as Java security improves and adversaries move to embrace new

attack vectors. Exploits involving client-side vulnerabilities in Adobe Flash Player and Microsoft IE have taken the lead

away from Java in 2014.

• However, Apple, Amazon and Google have restricted the use of Flash-style advertising due to the increase of

malvertising forcing advertisers to turn to alternative technologies such as HTML5 or JavaScript for marketing purposes.

• Data from the National Vulnerability Database (NVD) shows a similar decline: NVD reported 309 Java vulnerabilities in

2013 and 253 new Java vulnerabilities in 2014.

• Cisco Security Research suggests that the decline in Java exploits can be tied partly to modern day versions of Java that

automatically patch, while older and more vulnerable versions of the Java Runtime Environment are being blocked by

default by browser vendors.

• Apple, as a precaution, disables old and vulnerable versions of Java and patches with automatic updates.

• The latest version of Java, Java 8, has stronger controls than previous releases. It is also more difficult to exploit with

requiring human interaction, such as code signing and a user dialogue that asks the user to enable Java.


NFDF-74 34

Malware

• Malware is short for “malicious software” - software that is intended to damage or disable computers and

computer systems without the users consent.

• Malware continues to plague computer networks globally in 2014 with viruses, worms, Trojan horses,

spyware and more.

• Point-of-sale (POS) security breaches were the biggest stories of 2014. The Identity Theft Resource

Center recorded information on 761 data breaches across financial, business, educational, government

and medical institutions. Some of the more notorious events include the Sony hack, malware attacks on

Target, Staples, Dairy Queen, Michaels, and Home Depot that resulted in the theft of credit, debit card

details and email addresses from POS systems.

• POS systems are migrating to the use of EMV (Europay, MasterCard, and Visa) Chips and PIN point-of-

sale systems, which store their data on integrated circuits rather than magnetic stripes, although many

EMV cards also have stripes for backward compatibility making cloning credit cards nearly impossible.

• In 2014 High-Tech Bridge observed ransomware attacks are on the rise, which is malware that extorts

money from victims by holding users’ data or system access for ransom using asymmetric encryption

algorithms.

• Ransomweb attacks can target Web application owners rather than individual end users by inserting

code on vulnerable Web servers. These Web applications rely on databases to provide information

including login credentials, which is then stored and encrypted without anyone noticing. This encrypted

data will then be inaccessible to the data owner until the owner pays the ransom.


NFDF-74 35

Malware (continued)

• According to Symantec, ransomware attacks grew 113% in 2014, driven by more than a 4,000%

increase in crypto-ransomware attacks.

• In 2013, crypto-ransomware accounted for a negligible percentage of all ransomware attacks (0.2%, or

1 in 500 instances). However, in 2014, crypto-ransomware was seen 45 times more frequently.

o While crypto-ransomware predominately attacks devices running Windows, Symantec has seen an

increase in versions developed for other operating systems.

o Notably, the first piece of crypto-ransomware on mobile devices was observed on Android last year.

• HPE reported in a recent report called, “Cyber Risk Report 2015” that the incidence of malware has

escalated from 83 million collected malware samples to an estimated 140 million malware samples per

the AV-Test.org.

• Anti-virus (AV) is the formal security measure designed to prevent malware. In general, AV is held in

lower esteem by security experts each year as attacks become more sophisticated. However, AV

remains valuable if properly implemented. For one thing, when used in conjunction with reputation, the

possibility of false positives is appreciably diminished.

• Fortinet has a patent for Compact Pattern Recognition Language (CPRL) which does an emulation of

malware. The purpose of CPRL is to use AV not only for the detection of malware, but also to detect

Advanced Persistent Threats.

NFDF-74 36

Malware (continued)

• According to IBM X-Force, the United States dominates the scene by hosting nearly 43% of all

malicious links. The country with the second highest concentration malicious links is China, which hosts

around 11%, followed by Germany now hosting 8.3%.

• Non-targeted attacks still make up the majority of malware, which increased by 26% in 2014 per

Symantec. In fact, there were more than 317 million new pieces of malware created last year, meaning

nearly one million new threats were released into the wild each day.

• Malware is self-generating. Better than 95% of malware is created by botnets.

• Fortinet research noted ZeroAccess, Andromeda, Jeefo, Smoke, and Morto were five of the most active

botnets in 2013.

• Support for Microsoft’s popular Windows XP officially ended on April 8, 2014. Microsoft no longer

distributes security patches for the operating system, so any existing security vulnerabilities that are

found will not be patched. This gives malware hackers a large attack surface to exploit, hoping the

vulnerability will not be patched.

• In 2014, 1 in 1,126 Web sites were found with malware compared to 1 in 566 in 2013 according to

Symantec.

• In 2014, 20% of all Web site vulnerabilities were considered critical allowing cyber criminals the ability

to access users’ sensitive data, per Symantec.


NFDF-74 37

Mobile Malware

• Differing definitions of “malware” make measuring mobile malware risk extremely difficult.

• Mobile users face a range of very real risks from ransomware, spyware, malicious apps and financial

malware.

• There were 168 mobile vulnerabilities disclosed in 2014, a 32% increase compared to 2013.

• According to Symantec, 84% of mobile vulnerabilities related to Apple iOS in 2014, compared with 11%

for Android, 4% for BlackBerry and 1% for Nokia.

• As of 2014, Symantec has identified more than 1 million apps that are classified as malware.

• Mobile devices can harbor malicious files that could be dangerous to traditional PCs. An example, a

user would pick up a malicious file on their phone, put it in Dropbox and then open it on their work

machine and become infected.

• In many ways, the term “mobile” is an arbitrary distinction—once a device gets connected to a network

it becomes vulnerable to some of the malware strains as PCs are.

• In the Motive Security Labs H1 2015 Malware Report, indicated that spyware disguised as adware for

PCs was attaching to smartphones as well.

• In the same study, Alcatel Lucent noted 80% of malware infections detected on mobile networks were

traced to Windows-based devices.

• G DATA closely monitors the mobile malware market. In Q1 2015, G DATA found more than 440,000

new Android malware strains. From the Q1 2015 Mobile Malware Report, G DATA also found that

mobile malware incidents increased by 6.4% from Q1 2014 to Q1 2015.

• Kaspersky Labs found a dramatic leap in mobile malware with reporting a 65% increase in mobile

malware from Q4 2014 to Q1 2015.


Return to contents

NFDF-74 38

Market Trends in Public Vulnerabilities

NFDF-74 39

Vulnerabilities Reported by Year

Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

497 537 519

624

728

0

100

200

300

400

500

600

700

800

2010 2011 2012 2013 2014

Vu

lnera

bilit

ies R

ep

ort

ed

Yearly Vulnerability Figures

Public Vulnerability Research Market: Yearly Reported Vulnerabilities, Global, 2010–2014

NFDF-74 40

Vulnerabilities Reported by Quarter


166 153

72

146

125

168

130

96

165 178

160

121 110

213

248

157

0

50

100

150

200

250

300

Vu

lnera

bilit

ies R

ep

ort

ed

Quarters

Public Vulnerability Research Market: Quarterly Reported Vulnerabilities, Global, 2011–2014

NFDF-74 41

Market Trends

• From January 1, 2014 through December 31, 2014, there were 7,903 vulnerabilities

assigned Common Vulnerabilities and Exposures (CVE) numbers.

• Many of these numbers were reserved in good faith. However, in certain cases, MITRE

will not be able to confirm the vulnerability and the CVE number is held in reservation.

However, roughly 85 percent of the vulnerabilities given a CVE number will be verified and

given a CVSS score.

• Frost & Sullivan recounts 728 publicly reported and verified vulnerabilities. Frost &

Sullivan only includes the vulnerabilities for which the NVD issued a public disclosure.

Publicly disclosed implies that the vendor and the disclosing agency make a joint

statement.

• HPE had the most verified vulnerabilities reported with 317 proving the veracity of the

HPE TippingPoint contributor program.

• Cyber-attacks are largely automated; the vast majority (roughly 80%) of vulnerabilities will

not be acted upon.

• IBM X-Force noted that the explosion in terms of the physical number of vulnerabilities

happened between 2004 and 2006.


NFDF-74 42

Market Trends (continued)

• PAST: Customer demand drove vulnerability testing, but this factor has changed in recent years.

• PRESENT: Vulnerability testing is not an elective; companies must be able to mitigate persistent threat

environments. Compliance testing is becoming more requisite as The Affordable Care Act gains

traction, Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 takes hold, and international

markets adopt cyber defense practices. One example, the Basic Standard for Enterprise Internal

Control is mandated by the Chinese government (known as C-SOX, the Chinese equivalent of

Sarbanes-Oxley in the US).

• TRENDING: The Federal Government is observing NIST 800.53A, Rev.4. This standard establishes

precedence for continuous monitoring.

• The Top 20 Critical Security Controls (CSC) are vendor best practices designed to reduced the attack

surface.

• The Top Five CSC measures include: 1) Inventory of Authorized and Unauthorized Devices, 2)

Inventory of Authorized and Unauthorized Software, 3) Secure Configurations for Hardware and

Software on Mobile Devices, Laptops, Workstations, and Servers, 4) Continuous Vulnerability

Assessment and Remediation, and 5) Malware Defenses.


NFDF-74 43

Vulnerability Disclosure

Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis. N=728 vulnerabilities

Self-disclosure 10.1%

Third-party 89.9%

Public Vulnerability Research Market: Percentage of Reported Vulnerabilities by Disclosure Type Global, 2014

NFDF-74 44

Vulnerability Disclosure (continued)

• Self-disclosed vulnerabilities are vulnerabilities reported by the manufacturer of the application with the

vulnerability. Third-party sources are research laboratories or individuals who report vulnerabilities in an

application.

• Third-party sources continue to report the majority of vulnerabilities in 2014. Third-party sources

discovered and reported 89.9% of vulnerabilities in 2014.

• Self-disclosed reports accounted for 10.1% of reported vulnerabilities.

• Manufacturers have different mechanisms for reporting vulnerabilities. Most companies issue

advisories. Manufacturers like Microsoft and Oracle have a regular schedule for the release of

advisories.

• Security patches are the primary method of fixing security vulnerabilities in software. A patch is a piece

of software designed to update a computer program or its supporting data, to fix or improve it. This

includes security vulnerabilities and other bugs improving the usability and performance.

• Whether the exploit code or the vulnerability related to the patch was never made public is a matter of

semantics; a vulnerability exists.

• For PSIRTs, testing for vulnerabilities includes internal and external sources. Manufacturers continue to

contract out vulnerability testing to research laboratories. The need to test Web portals and applications

is now as important as testing network endpoints and configurations.


NFDF-74 45

Vulnerability Disclosure (continued)

• Vulnerability disclosure is a double-edged sword. If a manufacturer discloses a vulnerability, there is an

admission of a procedural weakness in the production phase.

• However, almost any application or network, at some point, will display a vulnerability. Therefore,

vulnerability disclosure is part of the on-going obligation that a manufacturer has to the customer to

ensure integrity.

• When working with manufacturers, security vendors may decide not to disclose some vulnerabilities

because these vulnerabilities are unfixable or too expensive and resource-intensive to fix.


NFDF-74 46

Individual 33.5%

Government 32.6%

Security vendor 30.4%

Anonymous 3.6%

Public Vulnerability Research Market: Percentage of Vulnerabilities by Organization Type, Global 2014

Vulnerability Disclosure by Organization Type

Note: All figures are rounded. The base year is 2014 Source: Frost & Sullivan analysis. N=728 vulnerabilities

NFDF-74 47


(continued)


244 237

221

26

0

50

100

150

200

250

300

Individual Government Security vendor Anonymous

Vu

lnera

bilit

ies R

ep

ort

ed

Disclosing Organization Type

Public Vulnerability Research Market: Reported Vulnerabilities by Organization Type Global, 2014

N=728 vulnerabilities

NFDF-74 48


(continued)

• Vulnerabilities disclosed by HPE and Secunia were counted as individual if indicated in

their disclosures. If the vulnerability was disclosed as Secunia Research or HPE, it was

counted in the Security vendor category.

• US-CERT vulnerabilities were counted with the Government category even if individually

reported.

• Individual attribution of vulnerability discovery was 33.5%. The security vendors found

30.4% of all publicly disclosed vulnerabilities.

• Twenty-six vulnerabilities were reported anonymously or the attribution is unknown.


NFDF-74 49

Analysis of Vulnerabilities by Severity

NFDF-74 50

Medium-severity 51.5%

High-severity 30.6%

Critical-severity 12.4%

Low-severity 3.2%

NA 2.3%

Public Vulnerability Research Market: Percentage of Reported Vulnerabilities by Severity, Global 2014

Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis

Critical Severity = 10.0

High-severity= 9.9 – 7.0

Medium-severity= 6.9 – 4.0

Low-severity= 3.9 – 0.0

N/A= Not Applicable


Analysis of Vulnerabilities by Severity

NFDF-74 51

Analysis of Vulnerabilities by Severity (continued)


44

36

6 4

1 1 1

0

5

10

15

20

25

30

35

40

45

50

HPE US-CERT VerisigniDefense

High-TechBridge

Secunia FortiGuardLabs

Rapid 7Cri

tical-

severi

ty V

uln

era

bilit

ies R

ep

ort

ed

Organization

Public Vulnerability Research Market: Critical-severity Vulnerabilities by Reporting Source Global, 2014


NFDF-74 52


• The National Vulnerability Database assigned a CVSS risk rating to each vulnerability that is useful in

assessing an organization’s risk and remediation priorities.

• In 2014, critical vulnerabilities rated 10.0 by the NVD amounted to 12.4% of vulnerabilities disclosed.

This was down from the 24.5% as reported by the same disclosing institutions in 2013. Critical-severity

vulnerabilities are potentially subject to code executions and denial-of-service attacks which can

hamper or shut down an organization’s operations.

• High-severity vulnerabilities accounted for 30.6% of disclosed vulnerabilities (down from 44.1% in

2013). These vulnerabilities are also at risk of denial-of-service attacks and file modifications in a

network’s infrastructure.

• Medium- and low-severity vulnerabilities represented 51.5% and 3.2% of vulnerabilities disclosed,

respectively.


NFDF-74 53



104

226

375

23

0

50

100

150

200

250

300

350

400

Critical-severity High-severity Medium-severity Low-severity

Vu

lnera

bilit

ies R

ep

ort

ed

Threat Level

Public Vulnerability Research Market: Reported Vulnerabilities by Severity, Global, 2014


NFDF-74 54



148

51

25 14 13 13

7 2 2

0

20

40

60

80

100

120

140

160

Hig

h-s

everi

ty V

uln

era

bilit

ies R

ep

ort

ed

Organization

Public Vulnerability Research Market: Critical & High-severity Vulnerabilities by Reporting Source, Global, 2014

NFDF-74 55


• HPE found a combined 150 critical and high-severity vulnerabilities. All other disclosing

companies in public vulnerability accounted for 163 critical or high-severity vulnerabilities.

• However, in 2014, HPE had contributions from as many as 3,000 people that are

employees or individual reporters for the HPE TippingPoint platform.

• The US-CERT contributed 107 critical or high-severity vulnerabilities. In terms of critical or

high severities, High Tech Bridge reported 16, and VeriSign iDefense reported 23.

• BeyondTrust, for instance, quit public vulnerability reporting in 2013 because the

economics of the business did not support their participation. VUPEN Security no longer

has formal public advisories.


NFDF-74 56



0

50

100

150

200

250

300

350

400


2013 153 275 177 19

2014 90 223 375 23

Vu

lnera

bilit

ies R

ep

ort

ed

Threat Level

Public Vulnerability Research Market: Reported Vulnerabilities by Severity, Global, 2013 and 2014


NFDF-74 57



0

20

40

60

80

100

120

140


Q1 17 32 54 4

Q2 26 76 98 11

Q3 30 75 129 7

Q4 17 40 93 4

Vu

lnera

bilit

ies R

ep

ort

ed

Threat Level

Public Vulnerability Research Market: Reported Vulnerabilities by Quarter and Severity, Global, 2014


NFDF-74 58


• In 2014 based on the total 728 vulnerabilities that Frost & Sullivan included in this report, 12.4% were

considered critical or the most severe, 30.6% experienced high severity while 51.4% of the

vulnerabilities were rated with medium severity.

• The percentage of critical vulnerabilities decreased in 2014 compared to 2013 by 41.2% from 153

critical vulnerabilities in 2013 to 90 in 2014. The critical vulnerabilities have decreased in 2014 because

patches are being applied earlier. According to Secunia, improved time-to-patch rate is helping to

improve vulnerability severity ratings.

• Automated systems are being used for continuous diagnostics do a better job to remediate critical

vulnerabilities. More organizations are making the transition from alert-based to analytics-enabled

resulting in improved security operation processes.


NFDF-74 59

Comparison of Targeted Applications

NFDF-74 60

Targeted Applications


10

12

12

13

22

123

0 20 40 60 80 100 120 140

Adobe Reader

Adobe Flash Player

Apple QuickTime

Microsoft Windows

Oracle Java Runtime Environment

Microsoft Internet Explorer

Vulnerabilities Reported

Ap

pli

ca

tio

ns

Public Vulnerability Research Market: Applications with the Highest Number of Unique Confirmed Vulnerabilities, Global, 2014


NFDF-74 61

Analysis of Targeted Applications

• In 2014, the top five applications with the most vulnerabilities were Microsoft Internet Explorer, Oracle

Java Runtime Environment, Microsoft Windows, Apple QuickTime, Adobe Flash Player and Reader.

• The biggest year-over-year leap was for Microsoft Internet Explorer where 123 vulnerabilities were

found in 2014 versus 73 vulnerabilities in 2013. All editions of Microsoft Internet Explorer from 6 thru 11

have been targeted.

o Internet Explorer is not easily found in Windows 10. It is there, just not upfront. Unless the browser

replacement, Microsoft Edge, is not as vulnerable, upgrades and new installs of Windows 10 might

reverse this trend and further confirm Microsoft's decision to build a new browser.

• There were 22 vulnerabilities associated with Java Runtime errors.

• Client-side applications, particularly Web browsers, contained the majority of reported vulnerabilities.

However, pertaining to vulnerabilities with Microsoft Internet Explorer specifically, it is hard to tell what is

cause, and what is effect. Internet Explorer is a ubiquitous business and personal tool. Intuitively, it

makes more sense to try to enter other data sources through the client-side rather than attack a

network directly.

• The problem is that since researchers are independently looking for vulnerabilities on their own, it is

possible that researchers are focusing on Internet Explorer because this is an application that is best

known in their research experience.


NFDF-74 62

Top Targeted Types of Applications


12

20

25

44

44

59

72

75

92

138

0 20 40 60 80 100 120 140 160

Operating Systems

Router

Data Management

Network Management

Media Application

Web application

Active X

Business Application

Server

Web Browser


Ap

pli

cati

on

Typ

e

Public Vulnerability Research Market: Types of Applications with the Highest Number of Unique Confirmed Vulnerabilities, Global, 2014


NFDF-74 63

Disclosing Institutions: Web Browser Vulnerabilities


122

11 4 1

0

20

40

60

80

100

120

140

HPE Verisign US-CERT Symantec

Vu

lnera

bil

itie

s R

ep

ort

ed

Organization

Public Vulnerability Research Market: Web Browser Vulnerabilities by Reporting Source, Global, 2014


NFDF-74 64

Disclosing Institutions: Media Applications Vulnerabilities


25

10

4

3 2

0

5

10

15

20

25

30

HPE Verisign High Tech Bridge US-CERT Secunia

Vu

lnera

bilit

ies R

ep

ort

ed

Organization

Public Vulnerability Research Market: Media Application Vulnerabilities by Reporting Source, Global, 2014


NFDF-74 65

Disclosing Institutions: Server Vulnerabilities


0

10

20

30

40

50

60

70

US-CERT HPE Fortiguard IBM

Vu

lnera

bil

itie

s R

ep

ort

ed

Organization

Public Vulnerability Research Market: Server Vulnerabilities by Reporting Source, Global, 2014


NFDF-74 66

Disclosing Institutions: Business Applications

Vulnerabilities


34

28

4 3 3

2 1

0

5

10

15

20

25

30

35

40

HPE US-CERT High-TechBridge

VerisigniDefense

Core Security IBM ISS Secunia

Vu

lnera

bilit

ies R

ep

ort

ed

Organization

Public Vulnerability Research Market: Business Applications Vulnerabilities by Reporting Source, Global, 2014


NFDF-74 67

Analysis of Targeted Applications by Type

• For the past few years most of the participating public vulnerability research firms made the observation

that vulnerabilities have been migrating toward the Web and toward Web-based applications. In 2014

this observation still holds true, as Frost & Sullivan found 197 vulnerabilities (or 27.1% of all

vulnerabilities) directly related to Web applications.

• The Web browser was the most targeted application within Web applications with 138 discovered

vulnerabilities. Web-based applications accounted for 59 vulnerabilities.

• The Web browser is especially problematic. The most current available Microsoft Web browser is

Microsoft Internet Explorer (IE) version 11. IEv6 through IEv11 are largely backward and forward

compatible, however, largely is the operative word. In many cases, an application in IEv9 is not

compatible with IEv11. If an application based on an IE9 browser will function in IEv11, the update to

the newest browser will likely not be undertaken by organizations that depend on the IEv9-supported

applications.

• Even without compelling reasons, many times individuals will not go through the process of updating

browsers. This can have deleterious effects because the patch priorities will go to the most recent

browser edition (this applies to Google Chrome and Mozilla Firefox as well).

• The Oracle Java Runtime environment is used in both business and media applications. Vulnerabilities

were found in memory corruption buffers, color convert, drag-and-drop, and in the sandbox bypass.


NFDF-74 68

Analysis of Targeted Applications by Type (continued)

• Other business applications found to have vulnerabilities include IBM Lotus Notes and data analytics

SPSS Modeler, Novell GroupWise Messenger, Microsoft Word, and Hewlett-Packard Application

Lifecycle Management.

• The media application category includes Adobe Reader, Flash Player, and Shockwave Player. Adobe

was credited with 16 critical-high severity vulnerabilities and eight were rated with medium-severity.

• Aside from Adobe media applications, other highly targeted media applications include Apple

QuickTime. RealNetworks RealPlayer was found to have only one vulnerability by public vulnerability

disclosing firms.

• Industrial control systems (ICS) application vulnerabilities are growing due to the evolution of these

systems including standard operating system platforms, connectivity to corporate LANs and the world-

wide-web. The result is legacy systems and component devices are being exposed to modern

external threats with weak or non-existent security mechanisms in place. The risk to ICS is gradually

being addressed, but not nearly fast enough to protect from cyber attacks.

• Industrial control software framework component had 24 discovered vulnerabilities.


NFDF-74 69

Analysis of Targeted Applications by Type

(continued)

• There were six vulnerabilities found on IP/Security cameras.

• Eight vulnerabilities were found on a Universal plug-and-play software development kit (SDK).

Unfortunately, the plug-and-play SDK is found in over 200 products.

• Security management software from McAfee, Cisco, Symantec, HPE and more had 53 confirmed

application vulnerabilities taking place on servers, gateway and various security appliances on

networks.

• Web content management systems, or better known as CMS accounted for 29 of Frost & Sullivan’s

reported application vulnerabilities. Today, the most popular Web CMS platforms: WordPress, Joomla

and Drupa account for 75% of the market, and it is common for one or more to be included as a

standard feature of web hosting services.

• CMS platforms also have security issues. WordPress security plugins found that 73% of all WordPress

installations studied had unpatched vulnerabilities that could be detected with a freeware vulnerability

scanner. Cybercriminals know that there are large numbers of unpatched installations on the so they

focus heavily on CMS-based sites.

• In the realm of public vulnerabilities, there were five found vulnerabilities affecting social media.


Analysis of Targeted Applications by Type (continued)

NFDF-74 70

Microsoft Internet Explorer 89.1%

Mozilla Firefox 5.1%

Google Chrome 3.6%

Apple Safari 2.2%

Public Vulnerability Research Market: Percent of Reported Vulnerabilities by Web Browser Type, Global, 2014

Targeted Web Browser Type

Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis. N=728 vulnerabilities

NFDF-74 71

Targeted Web Browser Type (continued)


89.1%

5.1% 3.6% 2.2%

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

70.0%

80.0%

90.0%

100.0%

Microsoft InternetExplorer

Mozilla Firefox Google Chrome Apple Safari

Vu

lnera

bilit

ies R

ep

ort

ed

Web Browser

Public Vulnerability Research Market: Reported Web Browser Vulnerabilities, Global, 2014


NFDF-74 72

Analysis of Targeted Web Browser Type

• In 2014, Microsoft Internet Explorer had the most publicly reported vulnerabilities with 123. This was

radically up from 73 as reported in the 2013 study. Of the 123 IE vulnerabilities, 32 vulnerabilities could

still affect IEv6.

• Mozilla Firefox went from 12 vulnerabilities reported in 2013 to seven reported in 2014. Comparing

across the two years, whether Firefox browser is more securely configured, well-patched, less targeted,

or if a statistical anomaly occurred is unclear.

• Web browsers were 138 of 197 attributed to Web-based vulnerabilities.


NFDF-74 73

Vulnerability Analysis

NFDF-74 74

Vulnerability Definitions

This research study references Common Weakness Enumeration (CWE) specifications to describe

vulnerability flaw types. Definitions of the most frequently occurring vulnerabilities in 2014 are as follows:

• Buffer errors - A memory buffer is a memory slot of a specific, allocated size. Hackers can assign

too much data in the memory buffer, which will cause data to spill into other memory slots, resulting in

application crashes or malfunctions.

• Improper input validation - Improper input validation occurs when a program accepts incorrectly

formatted data as valid user input. Attackers can then input data that the program cannot handle,

causing the application to crash or act improperly.

• Resource management errors - These errors occur when a program does not limit the amount of

resources, such as memory or processing power, that it uses. Attackers can then use up all the

system’s resources to block system access by legitimate users.

• Numeric errors - Many programs must be able to conduct precise mathematical calculations. When

programs do not accurately handle numbers, such as when rounding errors or changing number

signs, the program’s accuracy will be compromised.

• Cross-site scripting (XSS) - Cross-site scripting occurs when a Web site does not validate or protect

a user’s data before passing it to another user. Attackers can use this high-speed malware on Web

pages.

• Permissions, privileges, and access - Errors relating to permissions, privileges, and access occur

when a program provides too much access or rights to unauthorized parties.


NFDF-74 75

Vulnerability Definitions (continued)

• Code injection - Code injection occurs when a third-party code infiltrates a program’s legitimate code.

This type of vulnerability allows attackers to control and manipulate a system.

• SQL injection - SQL injection enables attackers to execute code and control a database in an

unauthorized manner. Vulnerabilities in Web sites or Web applications enable the attacker to inject

code into the database, which allows the user to control the system.

• Cryptographic issues - Cryptography is a set of algorithms that render data indecipherable to

unauthorized users. Authorized users are provided with the key to decrypt and read the data. These

systems may be vulnerable to attacks that bypass or obtain unauthorized access to the key.

• CSRF - Cross-site request forgeries enable attackers to act as a particular end user and perform

unauthorized actions. CSRF attacks rely on authorization and authentication data that has been saved

by a user's browser to perform actions under the user's approval.

• Authentication issues - Businesses rely on authentication systems to confirm user identity and

determine the appropriate level of access. Vulnerabilities may exist that allow users to bypass or fool

authentication systems and gain unauthorized access.


NFDF-74 76

Vulnerabilities Reported by Flaw Type 2013

Note: All figures are rounded. Source: Frost & Sullivan analysis.

1 1 1 1 2

7 8 8 8 10 10

13 18

21 24

28 29

41 42

53 140

158

0 20 40 60 80 100 120 140 160 180

Redirection unwanted siteFormat string

Race conditionsConfiguration

Design errorCredentials management

Cryptographic issuesAuthentication issues

OtherInformation leak/disclosure

OS command injectionsNumeric errorsPath traversal

Permissions, privileges, and access controlInput validation

Cross-site request forgery (CSRF)SQL injection

Resource management errorsCode injection

Cross-site scripting (XSS)Insufficient informationBuffer overflow errors


Fla

w T

yp

e

Public Vulnerability Research Market: Reported Vulnerabilities by Top Flaw Type, Global, 2013

NFDF-74 77

Vulnerabilities Reported by Flaw Type (For 2014)

Note: All figures are rounded. Source: Frost & Sullivan analysis.

2 3

6 6

9 13 14 16 17

22 25

28 32 32

35 35

42 44

78 170

0 20 40 60 80 100 120 140 160 180

Unrestricted Upload of FileCommand Injection

Resource manager errorsNumeric errors

OtherAuthentication issues

OS command injectionsCredentials management

Cryptographic issuesCross-site request forgery (CSRF)

Information exposureSQL Injection

Resource management errorsCode injectionPath traversal

Insufficient informationPermissions, privileges, and access control

Input validationCross-site scripting (XSS)

Buffer overflow errors


Fla

w T

yp

e

Public Vulnerability Research Market: Reported Vulnerabilities by Top Flaw Type, Global, 2014

NFDF-74 78

Disclosing Institutions: Buffer Overflow Errors


125

14 13 13 5

0

20

40

60

80

100

120

140

HPE Verisign iDefense US-CERT Core Security Other

Vu

lnera

bilit

ies R

ep

ort

ed

Organization

Public Vulnerability Research Market: Reported Buffer Overflow Errors by Reporting Source, Global, 2014


NFDF-74 79

Disclosing Institutions: Code Injection Errors


18

11

3

0

2

4

6

8

10

12

14

16

18

20

HPE US-CERT High Tech Bridge

Vu

lnera

bilit

ies R

ep

ort

ed

Organization

Public Vulnerability Research Market: Code Injection Errors by Reporting Source Global, 2014


NFDF-74 80

Top Impact Type

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

Denial/Modification/ Unauthorized Access

66.2%

File modification 12.5% Unauthorized

disclosure 8.9%

Denial-of-service 4.1%

Unauthorized disclosure/modification

1.8%

Other 6.5%

Public Vulnerability Research Market: Percentage of Vulnerability Reports by Associated Impacts, Global, 2014

NFDF-74 81

Top Impact Types (continued)


HPE 55.2%

US-CERT 26.1%

VeriSign iDefense 5.2%

High-Tech Bridge 4.1%

Core Security 3.5%

Fortiguard 0.8%

Secunia 0.8%

IBM ISS 0.4%

Other 3.7%

Public Vulnerability Research Market: Percentage of Denial-of-Service/File Modification/Unauthorized Access Impacts by Reporting Source, Global, 2014


NFDF-74 82

Analysis of Impact Types

• The NVD was the final authority used to report the impacts in the tables.

• Buffer overflow errors were the most common vulnerability flaw in 2013 and remained so

in 2014. HP found 125 incidents of buffering errors in 2014, followed by the Verisign

which found 14 vulnerabilities related to buffering errors.

• Interestingly, the NVD determined there were 136 vulnerabilities where a known

vulnerability flaw could not be ascribed to a potential exploit.

• Cross-site scripting (XSS) (78 vulnerabilities), input validation (44 vulnerabilities), and

code injection (32 vulnerabilities) were the next most common vulnerability flaws.

• If a vulnerability was found, 66.2% percent of the time the impact was likely to be

exploited to deny service, modify files and allow unauthorized access (482 vulnerabilities

could be subject to all three impacts). This could be classified as a jailbreak vulnerability.

• HPE found 55.2 percent of all of the jailbreak vulnerabilities discovered by public

vulnerability reporting organizations.


NFDF-74 83

Competitive Analysis

NFDF-74 84

Competitive Analysis Verified Vulnerabilities



HPE 43.5%

US-CERT 35.3%

High-Tech Bridge 7.4%

Verisign 3.7%

Core Security 2.7%

FortiGuard Labs 1.9%

IBM ISS 1.2%

Secunia 1.0%

Other 3.2%

Public Vulnerability Research Market: Market Share for Verified and Reported Vulnerabilities by Disclosing Source, Global, 2014

NFDF-74 85

Competitive Analysis Verified Vulnerabilities (continued)


317

257

54

27 20 14 9 7 23

0

50

100

150

200

250

300

350


VerisigniDefense

CoreSecurity

FortiGuardLabs

IBM ISS Secunia Other

Vu

lnera

bilit

ies R

ep

ort

ed

Organization

Public Vulnerability Research Market: Verified Reported Vulnerabilities by Source, Global, 2014


NFDF-74 86

Competitive Analysis Verified Vulnerabilities (continued)


0

50

100

150

200

250

300

350

HPE US-CERT SecuniaHigh-Tech

BridgeIBM ISS

CoreSecurity

VerisigniDefense

FortiGuardLabs

Other

2013 249 155 94 52 25 22 18 7 2

2014 317 257 7 54 9 20 27 14 23

Vu

lnera

bilit

ies R

ep

ort

ed

Organization

Public Vulnerability Research Market: Total Verified Reported Vulnerabilities by Source, Global, 2013 and 2014

NFDF-74 87

Competitive Analysis Verified and Unverified Vulnerabilities


343

282

54

28 20 18 8 8

0

50

100

150

200

250

300

350

400


VerisigniDefense

Core Security FortiGuardLabs

Secunia IBM ISS

Vu

lnera

bilit

ies R

ep

ort

ed

Organization

Public Vulnerability Research Market: Verified and Unverified Reported Vulnerabilities by Source, Global, 2014


NFDF-74 88

Competitive Analysis (continued)

• For statistical purposes, Frost & Sullivan uses only verified vulnerabilities in the formal

analysis.

• This is not meant to cast aspersions on unverified vulnerabilities. The Frost & Sullivan definition of a

verified vulnerability occurs when a vulnerability is issued a CVSS temporal score by NVD. Worth

noting, the CVSS score represented in an advisory does not always match the final score issued by

NVD.

• The most likely reason a vulnerability remains unverified is that the NVD could not prove a

vulnerability exists. Either there was little exploit code provided or the vulnerability could not be

replicated in the lab.

• Another possibility is that the vulnerability has not been tested. By the time a vulnerability becomes

public, usually within six months, a CVSS score is issued—but there are occasions when this takes

longer.

• Vulnerability reporting by an individual company tends to vacillate from year to year. In

2014, HPE reported the most verified and unverified vulnerabilities with 343. In 2013, that

number was down to 286; however, in 2012, the number of verified vulnerabilities was

249.

• In terms of verified vulnerabilities in 2014, US-CERT follows with 257, and High-Tech

Bridge is next with 54. Source: Frost & Sullivan analysis.

NFDF-74 89

The Status Of Public Vulnerability Reporting

NFDF-74 90

The Status of Public Vulnerability Reporting

• The concept of public vulnerability reporting is rapidly fading.

• In 2013, BeyondTrust and VUPEN discontinued their public vulnerability reporting practices. Apparently,

IBM ISS and Fortinet Labs have dedicated fewer resources to the practice.

• Understand that this does not mean that there is less vulnerability research—far from it. The majority of

vulnerability incidents detected actually make it to the frontlines of perimeter defenses.

• In vulnerability management, companies like Tenable Network Security, Qualys, and Beyond Security

have extensive vulnerability libraries.

• Furthermore, large endpoint protection and security management platforms like Intel Security (McAfee)

ePolicy Orchestrator and Cisco Advanced Malware Protection (AMP) uncover vulnerabilities.

• With Cisco Threat Grid and Open Threat Exchange (OTX) sponsored by Alien Vault, when any

appliance under these companies’ threat management network detected malware, the information is

shared with all of the appliances on the network.

• The relationships between PSIRT teams and security appliance teams continues to improve. Using a

hypothetical, if Rapid7 discovers a vulnerability with a Bank of America application, the odds of getting

detailed information about the threat conditions to Bank of America are better in 2015 then in 2014 (and

appreciably better than 2010-11).


NFDF-74 91

The Status of Public Vulnerability Reporting (continued)

• Reports published by IBM, Symantec, and Cisco among others.

• The idea of public disclosure is connoted differently. The process involves a vulnerability discovery,

reporting to MITRE, and an agreed upon date to issue an advisory. Often that loop takes between

three-to-seven months to complete and intervals of more than a year are not uncommon.

• In the mid-2000s, “pay-for-discovery” was a fairly normal industry paradigm. Network professionals or

people passionate about coding could discover vulnerabilities and make some extra income.

• By 2014, HPE was more or less alone in this practice.

• Some legacy practices exist. Secunia (which was purchased by Flexera Software in September 2015)

uses public vulnerability disclosure to promote products they offer in vulnerability management, patch

management, and PC application protection.

• High-Tech Bridge uses its public vulnerability disclosure program to showcase its skill set in ethical

hacking and to call attention to its ImmuniWeb, Web scanning and Web application testing platform.

• Google is also radically changing the game. In July 2014, Google announced Project Zero.

o As a part of Project Zero, Google announced the formation of a dedicated team that would discover

and report vulnerabilities. In part, Google has a self-interest as Google has an Internet browser, and

its search tools are more effective in a more secure environment.


NFDF-74 92

The Status of Public Vulnerability Reporting (continued)

• The project has received mixed reviews. In December 2014, Google reported several vulnerabilities in

Microsoft products. Microsoft felt that it had been unjustly singled out for unwarranted negative

attention.

• In February 2015, Google announced it would extend the discovery-disclosure cycle to 90 days and

would provide another two-week grace period if a company is actively working on patching its

vulnerabilities.

• HPE maintain its Pwn2Own contests. The Pwn2Own program is a high-spirited contest for ethical

hackers with cash-incentives (in 2013 Pwn2Own paid $850,000 in prizes).

• At different times, hackers were challenged to break biometric code, mobile OS, and selected software

kernels.

• HPE Zero Day Initiative (ZDI) still gets contributions from individual reporting software platform defects

and vulnerabilities. The individuals are still compensated.

• Many of the contributors have been with the program since 2010, and these researchers are

demonstrating proof-of-concept at the root-cause level and writing succinct, verifiable exploit code.

• Toward public vulnerability, HPE pulls in elements of Fortify, Pwn2Own, The HP ZDI, and TippingPoint.

• In October 2015, Trend Micro announced they are acquiring HP TippingPoint.

• According to Trend Micro, HPE and Trend Micro have also agreed to a strategic OEM that includes the

incorporation of select components of the next-generation intrusion prevention systems (NGIPS) into

HPE’s networking division.


NFDF-74 93

Conclusions

NFDF-74 94

Conclusions


3 Vulnerability research is expanding beyond network endpoints. Web

applications and browsers, malware, mobile malware, SCADA, and the

Internet of Things are becoming part of vulnerability research.

1

Many of the public vulnerability reporting firms felt that there were more,

but less severe vulnerabilities in 2014 than in 2013. At least in the

sampling Frost & Sullivan considered, there were more vulnerabilities that

were slightly less severe than the year before partly due to improved time-

to-patch rate is helping to improve vulnerability severity ratings.

2 Without exception, public vulnerability companies report improving

relations with the PSIRTs of major companies. This leads to better patch

management.

NFDF-74 95

Appendix

NFDF-74 96

Vulnerability Database Sources (for 2014)

• CORE Security Research

• FortiGuard Labs

• Hewlett-Packard Enterprise

• High-Tech Bridge

• IBM ISS

• National Vulnerability Database

• Secunia

• US-CERT

• Verisign iDefense

NFDF-74 97

List of Publications Cited in This Report

• Cisco 2014 Annual Security Report

• Cisco 2015 Annual Security Report

• Fortinet 2014 Threat Landscape Report

• HPE Cyber Risk Report 2014

• HPE Cyber Risk Report 2015

• IBM X-Force 2014 Mid-Year Trend and Risk Report

• IBM X-Force Threat Intelligence Quarterly 1Q 2014

• IBM X-Force Threat Intelligence Quarterly, 4Q 2014

• Secunia Vulnerability Review 2014

• Verizon Data Breach Investigations Report 2014

• Symantec Internet Security Threat Report 2015

• High-Tech Bridge Security Research Blog

• Motive Security Labs H1 2015 Malware Report

Source: Frost & Sullivan

NFDF-74 98

Legal Disclaimer

• Frost & Sullivan takes no responsibility for any incorrect information supplied to us by manufacturers or

users. Quantitative market information is based primarily on interviews and therefore is subject to

fluctuation. Frost & Sullivan research services are limited publications containing valuable market

information provided to a select group of customers. Our customers acknowledge, when ordering or

downloading, that Frost & Sullivan research services are for customers’ internal use and not for general

publication or disclosure to third parties. No part of this research service may be given, lent, resold or

disclosed to noncustomers without written permission. Furthermore, no part may be reproduced, stored

in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying,

recording or otherwise, without the permission of the publisher.

• For information regarding permission, write to:

Frost & Sullivan

331 E. Evelyn Ave. Suite 100

Mountain View, CA 94041

© 2014 Frost & Sullivan. All rights reserved. This document contains highly confidential information and is the sole property of Frost & Sullivan.

No part of it may be circulated, quoted, copied or otherwise reproduced without the written approval of Frost & Sullivan.

Return to contents

NFDF-74 99

The Frost & Sullivan Story

The Journey to Visionary Innovation

NFDF-74 100

The Frost & Sullivan Story

NFDF-74 101

Value Proposition: Future of Your Company & Career

Our 4 Services Drive Each Level of Relative Client Value

NFDF-74 102

Global Perspective

40+ Offices Monitoring for Opportunities and Challenges

NFDF-74 103

Industry Convergence

Comprehensive Industry Coverage Sparks Innovation Opportunities

Automotive &

Transportation

Aerospace & Defense Measurement &

Instrumentation

Information &

Communication Technologies

Healthcare Environment & Building

Technologies

Energy & Power

Systems

Chemicals, Materials

& Food

Electronics &

Security

Industrial Automation

& Process Control

Automotive

Transportation & Logistics

Consumer

Technologies

Minerals & Mining

NFDF-74 104

360º Research Perspective

Integration of 7 Research Methodologies Provides Visionary Perspective

NFDF-74 105

Implementation Excellence

Leveraging Career Best Practices to Maximize Impact

NFDF-74 106

Our Blue Ocean Strategy

Collaboration, Research and Vision Sparks Innovation

public vulnerability research market in 2014...public keeps them out of the hands of hackers, but...

Documents