public vulnerability research market in...
TRANSCRIPT
Public Vulnerability Research Market in 2014
The Evolving Threat Environment During the Internet of Things Era
November 2015
NFDF-74
NFDF-74 2
Research Team
Pamela Tufegdzic Industry Analyst
ICT – Network Security
(248) 259-2053
Vice President of Research
Michael Suby VP of Research
Stratecast/Frost & Sullivan
(720) 344-4860
Frank Dickson Research Director
ICT — Network Security
(469) 387-0256
Chris Kissel Industry Analyst
ICT – Network Security
(623) 910-7986
Research Director
Lead Analyst Contributing Analyst
NFDF-74 3
List of Exhibits
Section Slide Number
Executive Summary 8
Market Overview 10
• Market Overview – Research Objectives 11
• Market Overview (continued) 12
• Market Overview—Best Practices Public Vulnerability Disclosure 17
• Market Overview—The Evolving Attacker 18
• Market Overview—Terminology and Definitions 19
• Market Overview—Key Questions This Insight Answers 22
Research Methodology 23
Cyber Threat Analysis and Reporting 26
Introduction to Cyber Threat Analysis and Reporting 27
The Internet of Things 28
The Internet of Things—(continued) 29
NFDF-74 4
List of Exhibits (continued)
Section Slide Number
• SCADA 31
• Software―Java 33
• Malware 34
• Mobile Malware 37
Market Trends in Public Vulnerabilities 38
• Vulnerabilities Reported by Year 39
• Vulnerabilities Reported by Quarter 40
• Market Trends 41
• Vulnerability Disclosure 43
• Vulnerability Disclosure by Organization Type 46
• Analysis of Vulnerabilities by Severity 49
NFDF-74 5
List of Exhibits (continued)
Section Slide Number
Comparison of Targeted Applications 59
• Targeted Applications 60
• Analysis of Targeted Applications 61
• Top Targeted Types of Applications 62
• Disclosing Institutions: Web Browser Vulnerabilities 63
• Disclosing Institutions: Media Applications Vulnerabilities 64
• Disclosing Institutions: Server Vulnerabilities 65
• Disclosing Institutions: Business Applications Vulnerabilities 66
• Analysis of Targeted Applications by Type 67
• Targeted Web Browser Type 70
• Analysis of Targeted Web Browser Type 72
Vulnerability Analysis 73
• Vulnerability Definitions 74
• Vulnerabilities Reported by Flaw Type (For 2013) 76
• Vulnerabilities Reported by Flaw Type (2014) 77
NFDF-74 6
List of Exhibits (continued)
Section Slide Number
• Disclosing Institutions: Buffer Overflow Errors 78
• Disclosing Institutions: Code Injection Errors 79
• Top Impact Type 80
• Analysis of Impact Types 82
Competitive Analysis 83
• Competitive Analysis Verified Vulnerabilities 84
• Competitive Analysis Verified and Unverified Vulnerabilities 87
Status of Public Vulnerabilities 89
Conclusions 93
• Certification 95
Appendix 96
• Vulnerability Database Sources (for 2014) 97
• List of Publications Cited in This Report 98
Legal Disclaimer 99
NFDF-74 7
List of Exhibits (continued)
Section Slide Number
The Frost & Sullivan Story 100
• Value Proposition: Future of Your Company & Career 102
• Global Perspective 103
• Industry Convergence 104
• 360º Research Perspective 105
• Implementation Excellence 106
• Our Blue Ocean Strategy 107
Return to contents
NFDF-74 8
Executive Summary
NFDF-74 9
Executive Summary—Key Findings
• 728 software vulnerabilities were reported publicly by research organizations in 2014.
o In 2014, critical vulnerabilities that rated 10.0 in severity amounted to 12.4% of vulnerabilities disclosed, which was down from
the 24.5% reported in 2013.
o High-severity vulnerabilities accounted for 30.6% of disclosed vulnerabilities (down from 44.1% percent in 2013).
o Medium and low-severity vulnerabilities represented 51.5% and 3.2% of vulnerabilities disclosed, respectively in 2014.
Highlighting that better security measures with improved time-to-patch rate is helping to improve vulnerability severity ratings in
2014.
o HPE had the most verified vulnerabilities reported with 317 proving the veracity of the HPE Tipping Point contributor program.
• Hewlett-Packard Enterprise (HPE) found 150 critical and high-severity vulnerabilities (vulnerabilities are
labeled critical severity if they have a common vulnerability scoring system (CVSS) base score of 10.0 and
rated high severity with a CVSS base score of 9.9 – 7.0). All other disclosing companies accounted for 163
high-severity vulnerabilities.
• Buffer overflow errors were the most common vulnerability flaw in 2013 and remained so in 2014. HPE found
125 incidents of buffer overflow errors in 2014, followed by Verisign iDefense, which found 14 vulnerabilities
related to buffer overflow errors.
• In 2014, the top six applications with the most vulnerabilities were Microsoft Internet Explorer, Oracle Java
Runtime Environment, Microsoft Windows, Adobe Flash Player, Apple QuickTime, and Adobe Reader.
• Frost & Sullivan counted 197 vulnerabilities (or 27.1% of all vulnerabilities) directly related to Web applications.
• SCADA vulnerabilities increased from 25 in 2013 to 33 in 2014.
• Researchers are looking at more than just network-attached endpoints for vulnerabilities. Web applications and
browsers, malware, mobile malware, SCADA, and the Internet of Things are increasingly scrutinized.
• Legacy systems and software that are no longer supported are a major concern for IT departments. On April
14, 2014, Microsoft discontinued its technical support for Windows XP on most devices and all PCs. There are
an estimated 300 million PCs actively running on XP.
Source: Frost & Sullivan analysis.
NFDF-74 10
Market Overview
NFDF-74 11
Research Objectives
Source: Frost & Sullivan analysis.
To acquire, record, and derive
an insightful understanding
of Public Vulnerability Research
from reliable vulnerability
vendors and research
laboratories in 2014
• To identify and promote prolific
reporters of vulnerabilities
• To highlight and emphasize the
strongest work produced by
companies engaging in public
vulnerability research reports
• To analyze the gathered
vulnerability data for trends and
common factors
Primary Objective Secondary Objectives
NFDF-74 12
Market Overview
• The following is both a study about software vulnerabilities and the companies that publicly disclose
vulnerabilities.
• A security vulnerability is any error in an IT system that can be exploited by an attacker to compromise
the confidentiality or integrity of a system or to deny legitimate user access to a system. Other industry
terms for security vulnerabilities include “software bug” and “flaw.”
• In the past, the process by which the analysis of vulnerabilities was shared with third parties was
subject to much debate, as full disclosure is the practice of making the details of security vulnerabilities
public.
o There is much debate in making vulnerabilities public because keeping vulnerabilities secret or not
public keeps them out of the hands of hackers, but this assumes that hackers can’t discover
vulnerabilities on their own. From the organization side, keeping vulnerabilities secret assumes
organizations will spend time and money fixing secret vulnerabilities . Both assumptions have
proven to be false.
o Hackers have proven to be quite adept at discovering secret vulnerabilities. Full disclosure forces
organizations to routinely patch their systems.
• Organizations tend to treat vulnerabilities less as a software problem and more as a public relations
(PR) problem. This is where full disclosure comes into play by making the PR problem more acute,
organizations are then quick to patch vulnerabilities.
o Naturally organizations receiving negative PR every time a vulnerability is made public quickly
release a patch fixing the vulnerability in order to minimize the impact of negative PR.
• Full disclosure of vulnerabilities helped shape the standardization of how vulnerabilities are tracked,
managed and stored. Source: Frost & Sullivan analysis.
NFDF-74 13
Source: Frost & Sullivan analysis.
Market Overview (Continued)
• Since 1999, the MITRE Corporation is responsible for certification and accreditation of the Common
Vulnerabilities and Exposures (CVE), enabling standardization of how public vulnerabilities are tracked,
managed and stored.
• The MITRE Corporation (a not-for-profit company that operates multiple federally funded research and
development centers (FFRDCs) that provide innovative, practical solutions for some of the United
States critical challenges) operates the National Cyber Security FFRDC to enhance cyber security and
protect national information systems.
o Funding for the MITRE Corporation comes from the National Cyber Security Division of the United
States Department of Homeland Security.
• The MITRE documentation defines CVE identifiers (also called CVE numbers, CVE-IDs and CVEs) as
unique common identifiers for publicly known information-security vulnerabilities in publically released
software packages.
• In other words, the CVE is a dictionary of common names for publicly known information security
vulnerabilities. CVE’s common identifiers make it easier to share data across separate network
security databases and tools and provide a baseline for evaluating the coverage of an organization’s
security tools enabling a quick and accurate assessment of how to remediate vulnerabilities.
NFDF-74 14
Source: Frost & Sullivan analysis.
Market Overview (Continued)
• CVEs (vulnerabilities) are assigned by a CVE Numbering Authority (CNA); there are three primary
types of CVE number assignments:
o The MITRE Corporation functions as editor and primary CNA.
o Various CNAs assign CVE entries for their own products (i.e. Microsoft, HPE, Oracle, etc.).
o Red Hat (multinational software company providing open-source software products to the enterprise
community) also provides CVE numbers for open source projects that are not a CNA.
• CVEs are used by the Security Content Automation Protocol (SCAP - finds vulnerabilities and offers
methods to define those findings in order to evaluate the possible impact).
• CVEs are listed on MITRE’s system as well as the U.S. National Vulnerability Database (NVD).
• NVD is the U.S. government repository of standards based vulnerability management data for SCAP.
Utilizing SCAP this data enables automation of vulnerability management, security measurement and
compliance.
• The NVD is the CVE dictionary augmented with additional analysis, a database, and a fine-grained
search engine, which makes the NVD a superset of CVE.
• The NVD is synchronized with CVE such that any updates to any CVEs (vulnerabilities) appear
immediately on the NVD.
NFDF-74 15
Market Overview (Continued)
• The NVD uses the Common Vulnerability Scoring System (CVSS) Version 2, which is an open standard
for assigning vulnerability impacts and is designed to convey vulnerability severity and help in
determining urgency and priority of organizations’ responses.
• The NVD provides the following severity rankings per CVE-ID based on the CVSS, the system assigns
a numeric value between 0 – 10, with higher scores representing greater severity:
o Vulnerabilities are labeled “Critical to High” severity if they have a CVSS score of 7.0 - 10.0.
o Vulnerabilities are labeled “Medium” severity if they have a CVSS score of 4.0 – 6.9.
o Vulnerabilities are labeled “Low” severity if they have a CVSS score of 0.0 – 3.9.
o Some vulnerabilities may not have enough information to assign a CVSS score leaving it as a “Not
Applicable or NA” ranking.
Source: Frost & Sullivan analysis.
NFDF-74 16
Source: Frost & Sullivan analysis.
Market Overview (Continued)
• The organizations that are vulnerability disclosing institutions used within this report include:
o Core Security, Fortinet, High-Tech Bridge, HPE, IBM, Secunia, US-CERT, and Verisign
o Government reporting refers to vulnerabilities disclosed by the United States Computer Emergency
Readiness Team (US-CERT).
• The US-CERT is a government agency, but the other reporting organizations either sell security-
related services or sell security devices.
• In the last 36 months, BeyondTrust and VUPEN Security have dropped off from formal public
vulnerability reporting. Core Security and Codenomicon Labs do not have a regular cadence for
vulnerability reporting. (Codenomicon Labs is recognized for the initial discovery of the Heartbleed
virus.)
• Companies like Google and Yahoo will pay hackers upon discovery of vulnerabilities. However, the
economics are not there to support vulnerability discovery from formal bounty programs. Ethical
hackers still matter, but the goal is to demonstrate vulnerabilities in the context of a larger security
platform.
• Frost & Sullivan considers vulnerabilities that have been disclosed by public vulnerability reporting
agencies—this pool of vulnerabilities totals 728 in 2014.
o HPE had 318 verified, publicly reported vulnerabilities.
o US-CERT had 282.
o High-Tech Bridge had 54.
NFDF-74 17
Market Overview—Best Practices Public Vulnerability
Disclosing
• Companies that uncover and report the most vulnerabilities could be perceived as having the most able
team of researchers. This perception on some levels validates the efficacy of their security tools.
o On occasion, there are bounties offered to independent researchers or public vulnerability teams to
discover vulnerabilities. For individual researchers, this is how they make their money.
• IBM, HPE, High-Tech Bridge, Secunia, and FortiGuard Labs will wait until a vulnerability is vetted by the
vendor and will continue to wait until a vendor is comfortable with an advisory before going public.
• While well-intended, this practice does cause frustration to public vulnerability disclosing institutions.
Vulnerabilities are initially reported to a Product Security Incident Response Team (PSIRT) team. If the
PSIRT team is taxed with other obligations, does not internally test a vulnerability, or is particularly slow
to act on a vulnerability, the public advisory stage is delayed.
• Delays in the public advisory process could have a cascading effect. If a Linux kernel (as an example)
is used in several applications, until that kernel is fixed at the level of the source code, several
applications that are dependent on the kernel are potentially at risk.
Source: Frost & Sullivan analysis.
NFDF-74 18
Market Overview—The Evolving Attacker
• Unfortunately, the job of IT security continues to be unrelenting and more difficult.
• Nation-states have conducted campaigns against other countries, manufacturing interests, nuclear
facilities, and media outlets. Also, businesses like online gaming companies will employ agencies to
create denial-of-service attacks against competitors in hopes of increasing their own attractiveness
during peak hours.
• Cyber gangs operate like gangsters in the past with their only impunity being the chance that they are
caught. The criminal element can provide services that have the veneer of decency. Formal service
level agreements (SLA) for everything are imaginable: cost to disrupt service, personal information
gathering, credit card numbers, and social network hacking.
• Basic exploit kits are available for purchase which means the technical expertise of a willing hacker is
less of a mitigating factor for bad actors to enter the field.
• Low-tech threats are increasing in volume, and high-tech threats are increasing in sophistication.
Source: Frost & Sullivan analysis.
NFDF-74 19
Market Overview—Terminology and Definitions
This research study references Common Weakness Enumeration (CWE) specifications to describe
vulnerability flaw types. Definitions of the most frequently occurring vulnerabilities in 2014 are as follows:
• Buffer errors - A memory buffer is a memory slot of a specific, allocated size. Hackers can assign
too much data in the memory buffer, which will cause data to spill into other memory slots, resulting in
application crashes or malfunctions.
• Improper input validation - Improper input validation occurs when a program accepts incorrectly
formatted data as valid user input. Attackers can then input data that the program cannot handle,
causing the application to crash or act improperly.
• Resource management errors - These errors occur when a program does not limit the amount of
resources, such as memory or processing power, that it uses. Attackers can then use up all the
system’s resources to block system access by legitimate users.
• Numeric errors - Many programs must be able to conduct precise mathematical calculations. When
programs do not accurately handle numbers, such as when rounding errors or changing number
signs, the program’s accuracy will be compromised.
• Cross-site scripting (XSS) - Cross-site scripting occurs when a Web site does not validate or protect
a user’s data before passing it to another user. Attackers can use this high-speed malware on Web
pages.
• Permissions, privileges, and access - Errors relating to permissions, privileges, and access occur
when a program provides excessive access or rights to unauthorized parties.
Source: National Vulnerability Database. Common Weakness Enumeration. http://nvd.nist.gov/cwe.cfm#cwes; Frost & Sullivan.
NFDF-74 20
Market Overview—Terminology and Definitions
(continued)
• Code injection - Code injection occurs when a third-party code infiltrates a program’s legitimate code.
This type of vulnerability allows attackers to control and manipulate a system.
• SQL injection - SQL injection enables attackers to execute code and control a database in an
unauthorized manner. Vulnerabilities in Web sites or Web applications enable the attacker to inject
code into the database, which allows the user to control the system.
• Cryptographic issues - Cryptography is a set of algorithms that render data indecipherable to
unauthorized users. Authorized users are provided with the key to decrypt and read the data. These
systems may be vulnerable to attacks that bypass or obtain unauthorized access to the key.
• CSRF - Cross-site request forgeries enable attackers to act as a particular end user and perform
unauthorized actions. CSRF attacks rely on authorization and authentication data that has been saved
by a user's browser to perform actions under the user's approval.
• Authentication issues - Businesses rely on authentication systems to validate user identity in order to
grant appropriate levels of access. Vulnerabilities may exist that allow users to bypass or fool
authentication systems and gain unauthorized or excessive access privileges.
Source: National Vulnerability Database. Common Weakness Enumeration. http://nvd.nist.gov/cwe.cfm#cwes; Frost & Sullivan.
NFDF-74 21
Market Overview—Terminology and Definitions
(continued)
• The Microsoft Windows family of operating systems includes Windows ME 2000, Windows Server 2000,
Windows XP 2001, Windows Server 2003, Windows Vista 2006, Windows 7 2009, Windows 8 2012,
and Windows 10 2015.
• The Mac OS family of operating systems includes all versions of Mac OS X and Mac OS X Server. The
Linux/Unix category of operating systems includes Linux and Unix-based operating systems including
Android OS.
• Individual reporting includes security researchers who report vulnerabilities to security vendors for
disclosure. These individuals are either credited by name or remain anonymous.
• Disclosure credit applied to security vendors includes organizations who have research laboratories that
find, gather, and disclose vulnerabilities.
Source: Frost & Sullivan analysis.
NFDF-74 22
Market Overview—Key Questions This Insight Answers
Where does vulnerability research fit into the overall information and network security industry?
What are the major trends in the public vulnerability research market?
What type of vulnerabilities are reported the most?
Which applications and application types were prone to vulnerabilities in 2014?
What types of vulnerability errors resulted in severe impacts?
How are companies starting to report threats in malware and mobile malware?
Source: Frost & Sullivan analysis.
NFDF-74 23
Research Methodology
NFDF-74 24
Research Methodology
• Vulnerability information included in this study is determined through vendor briefings, Frost & Sullivan
in-house research, vendor publications, and publicly reported vulnerabilities.
• The United States Computer Emergency Readiness Team (US-CERT) Vulnerability Notes are a
primary source of vulnerability data in this Market Insight.
• The National Vulnerability Database (NVD) provides severity metrics and technical data. A vulnerability
must have a unique Common Vulnerabilities and Exposures (CVE) or US-CERT number assigned to
qualify for inclusion as a vulnerability in this report.
• Frost & Sullivan requires CVE numbers for report inclusion to eliminate the double reporting of
vulnerabilities. This ensures that each vulnerability report counted represents a single vulnerability.
• Validation and qualitative information is based on analyst interviews with market participants and
secondary research.
• The NVD provided Common Vulnerability Scoring System Version 2.0 (CVSS V2) scores and rankings
for each vulnerability reported. (Note: CVSS V3 is being phased in).
Source: Frost & Sullivan analysis.
NFDF-74 25
Research Methodology (continued)
• CVSS is a widely accepted industry standard and is applied to most reported vulnerabilities.
• CVSS provides a base score that represents the innate characteristics of each vulnerability. This base
score does not account for temporal and environmental conditions.
• In addition to the numeric CVSS scores, this report provides a severity ranking for each vulnerability
mapping qualitative rankings to numeric CVSS scores.
• Government research, individuals, manufacturers, and security vendor vulnerability reports contributed
to this Market Insight. The credit for the vulnerability is attributed to the disclosing organization. For
example, the US-CERT may credit Rapid7 for discovering a vulnerability, but the US-CERT is given
credit as the disclosing institution.
• This report also includes original vulnerability discoveries that are reported on research vendor Web
sites. For a complete list of sources referred to in this insight, see Vulnerability Database Sources (for
2014).
• Research sections attributed to specific vendors are the result of briefings and publicly disclosed
records. Specific quotes were sent back to the vendors to confirm accuracy.
• The formal reporting focuses on the base year 2014.
Source: Frost & Sullivan analysis.
Return to contents
NFDF-74 26
Cyber Threat Analysis and Reporting
NFDF-74 27
Introduction to Cyber Threat Analysis and Reporting
• The majority of this report is focused on software vulnerabilities that are publicly disclosed and given
Common Vulnerability Scoring System (CVSS) v.2 scores.
• The research paradigms are changing for the types of companies that disclose vulnerabilities with
vendors and how they share the results in a global platform.
• Increasingly, threat environments are perimeter-based. Hackers also are finding ways to glean
information from social media Web sites, and are developing new strategies to create exploits in
watering holes and in phishing attacks.
• Two developments—Heterogeneous Networking and the Internet of Things— are strengthening
communications platforms. Unfortunately, the same new networking systems that create agility for
businesses are also ways for hackers to access networking systems.
• Smartphones, tablets, and custom-made are devices that use the Internet for personal and commercial
applications. Mobile represents a new frontier for apps developers and would-be attackers alike.
• Many of the companies that Frost & Sullivan is working with in the development of this report are
producing excellent content in the context of all types of vulnerabilities.
Source: Frost & Sullivan analysis.
NFDF-74 28
The Internet of Things
• The Internet of Things (IoT) refers to devices that are embedded with sensors, software, electronics,
and network connectivity that enables these devices to collect and exchange data or be controlled
remotely across an existing network infrastructure.
• In 2015, Ericsson forecasted there would be 26 billion connected devices by 2020. While Cisco in
2013, has forecasted 30 billion connected devices by 2020, which most will be machine to machine
(M2M) connections with big data analytics taking place.
• The new connected devices and systems include, but are not limited to, home and small office routers,
home and commercial automation systems, networks with thin clients, purpose-built devices, and
connected automobiles. As more physical devices become connected through the IoT, the diverse
nature of these technologies gives rise to concern regarding security.
• IoT necessitates increased bandwidth and computational power. The era of cloud services is helping to
accommodate.
• The cloud is fundamentally (but not always) a browser-based, off-premises technology. Advantages to
cloud-based services include high bandwidth connections with the workload-hosting data centers, auto-
provisioning computing, infinite storage, and mitigation of obsolescence as services and applications
take the place of equipment purchases.
Source: Frost & Sullivan analysis.
NFDF-74 29
The Internet of Things (continued)
• Cloud security is a matter of open debate. Cloud computing and cloud storage vendors argue that cloud
architecture does not add any additional security concerns.
• However, much of the communications from virtual workloads emanates from OpenStack software
libraries. If there is a vulnerability discovered from OpenStack middleware, firmware, or software
kernels, the potential to exploit a large number of servers exists.
• There are concept ideas that automobiles can be used to enhance the public Wi-Fi grid. Creating a
network of vehicles that are all connected to the internet, provide free Wi-Fi to those in and around the
vehicles and also collect data about the environment they’re moving in, is an idea that encapsulates
what the IoT is trying to achieve.
• The internal electronic system in automobiles is the controller area network (CAN) bus. To manipulate
auto electronics, the person devising an exploit must have physical access.
• However, any system that is tied to cellular networks or Wi-Fi, on-board navigation systems or GPS
systems connected to the Internet as examples, is potentially vulnerable.
• The IoT continues to grow. According to HPE, IoT continues to capitalize on new opportunities in areas
such as sensor monitoring in traffic, railways, cars, the home, the local power grid, embedded medical
devices (including wearable sensors) and computing.
Source: Frost & Sullivan analysis.
NFDF-74 30
The Internet of Things (continued)
• IBM X Force has identified the following points of protection and the types of security
controls that should be implemented for IoT:
o A secure operating system with trusted firmware guarantees. This includes the ability to perform
over-the network / over-the-air updates across untrusted connections.
o A unique identifier. While IPv6 is key to identifying “things” on networks, “things” also need a
subscription to a trusted identity database.
o Strong authentication and access control. When users access the data on “things” or control
them through a cloud service from the user’s mobile device, it’s crucial to ensure that the user is who
he or she claims to be.
o Data privacy protection. The data that flows to and from “things” and that may be stored on “things”
or their controlling devices can be sensitive.
o Strong application security. Vulnerabilities arise due to software bugs. Hardware manufacturers
are often not experts in software development, including Web applications that may reside on the
“thing,” or exist as a cloud portal and mobile apps, but using certified software may help alleviate
software bugs.
• The IBM model for the IoT is still a work in progress since the IoT, as a whole, is still
evolving.
Source: Frost & Sullivan analysis.
NFDF-74 31
SCADA
• The Stuxnet attacks in June 2010 were game-changers against Supervisory Control and Data
Acquisition (SCADA) systems. Stuxnet is widely believed to be a series of programming language
attacks launched by US and Israeli government agencies against the Iranian nuclear facilities
development platforms. Several research firms maintain the attacks were viral―the attacks expanded
beyond Iranian facilities.
• SCADA systems were once considered both low-risk and low-gain targets, but SCADA systems sit
outside of traditional security walls.
o Attacks were low-risk in the sense that SCADA systems were attached to machinery or automation
sets and self-contained. They were low-gain in that self-contained systems did not include personal
information. Nor did SCADA systems guard financial assets or intellectual property.
o However, the Stuxnet attacks showed how nation-states can cause disruption.
• Legacy SCADA systems have always offered supervisory control with being able to take action on
remote locations through the use of various controls and mechanisms that then collect data to retrieve
important information from remote devices.
• In the current generation, most SCADA systems have adopted the Internet of Things technology. The
use of open network protocols such as TLS, provides a more readily comprehensible and manageable
security boundary than the diverse mix of proprietary network protocols typical of many decentralized
SCADA systems. However, the linking of SCADA and IP systems creates more vulnerabilities.
Source: Frost & Sullivan analysis.
NFDF-74 32
• Real-time analytics and use of virtualized computing, cloud, and non-cloud environments
enable SCADA systems linked with the IoT technology to implement more complex control
algorithms than are feasible to implement on traditional programmable logic controllers.
• The move from legacy SCADA systems to more standardized and automated solutions with the
increased number of connections between SCADA systems, office networks, and the Internet
has made them more vulnerable to cyber attacks. Industrial control vendors suggest
approaching SCADA security like information security with a defense-in-depth strategy that
leverages common IT practices.
• Part of the problem with public vulnerability disclosure in the SCADA space, is that PSIRTs for
SCADA networks do not have the same degree of interaction with disclosing laboratories.
SCADA PSIRTs are unfamiliar with the cycle of acknowledging vulnerabilities, remediation,
patching, and then public disclosure.
• Frost & Sullivan’s research indicates that SCADA vulnerabilities increased from 25 in 2013 to
33 in 2014.
SCADA (continued)
NFDF-74 33
Software―Java
• Java is the most commonly used computer programming language with use in all types of applications:
o Java is run on 97% enterprise desktops.
o In the US, Java is on 89% of all PCs.
o Three billion mobile phones use Java environments.
o Currently, there are nine million Java developers worldwide.
• Cisco reported Java exploits have decreased by 34%, as Java security improves and adversaries move to embrace new
attack vectors. Exploits involving client-side vulnerabilities in Adobe Flash Player and Microsoft IE have taken the lead
away from Java in 2014.
• However, Apple, Amazon and Google have restricted the use of Flash-style advertising due to the increase of
malvertising forcing advertisers to turn to alternative technologies such as HTML5 or JavaScript for marketing purposes.
• Data from the National Vulnerability Database (NVD) shows a similar decline: NVD reported 309 Java vulnerabilities in
2013 and 253 new Java vulnerabilities in 2014.
• Cisco Security Research suggests that the decline in Java exploits can be tied partly to modern day versions of Java that
automatically patch, while older and more vulnerable versions of the Java Runtime Environment are being blocked by
default by browser vendors.
• Apple, as a precaution, disables old and vulnerable versions of Java and patches with automatic updates.
• The latest version of Java, Java 8, has stronger controls than previous releases. It is also more difficult to exploit with
requiring human interaction, such as code signing and a user dialogue that asks the user to enable Java.
Source: Frost & Sullivan analysis.
NFDF-74 34
Malware
• Malware is short for “malicious software” - software that is intended to damage or disable computers and
computer systems without the users consent.
• Malware continues to plague computer networks globally in 2014 with viruses, worms, Trojan horses,
spyware and more.
• Point-of-sale (POS) security breaches were the biggest stories of 2014. The Identity Theft Resource
Center recorded information on 761 data breaches across financial, business, educational, government
and medical institutions. Some of the more notorious events include the Sony hack, malware attacks on
Target, Staples, Dairy Queen, Michaels, and Home Depot that resulted in the theft of credit, debit card
details and email addresses from POS systems.
• POS systems are migrating to the use of EMV (Europay, MasterCard, and Visa) Chips and PIN point-of-
sale systems, which store their data on integrated circuits rather than magnetic stripes, although many
EMV cards also have stripes for backward compatibility making cloning credit cards nearly impossible.
• In 2014 High-Tech Bridge observed ransomware attacks are on the rise, which is malware that extorts
money from victims by holding users’ data or system access for ransom using asymmetric encryption
algorithms.
• Ransomweb attacks can target Web application owners rather than individual end users by inserting
code on vulnerable Web servers. These Web applications rely on databases to provide information
including login credentials, which is then stored and encrypted without anyone noticing. This encrypted
data will then be inaccessible to the data owner until the owner pays the ransom.
Source: Frost & Sullivan analysis.
NFDF-74 35
Malware (continued)
• According to Symantec, ransomware attacks grew 113% in 2014, driven by more than a 4,000%
increase in crypto-ransomware attacks.
• In 2013, crypto-ransomware accounted for a negligible percentage of all ransomware attacks (0.2%, or
1 in 500 instances). However, in 2014, crypto-ransomware was seen 45 times more frequently.
o While crypto-ransomware predominately attacks devices running Windows, Symantec has seen an
increase in versions developed for other operating systems.
o Notably, the first piece of crypto-ransomware on mobile devices was observed on Android last year.
• HPE reported in a recent report called, “Cyber Risk Report 2015” that the incidence of malware has
escalated from 83 million collected malware samples to an estimated 140 million malware samples per
the AV-Test.org.
• Anti-virus (AV) is the formal security measure designed to prevent malware. In general, AV is held in
lower esteem by security experts each year as attacks become more sophisticated. However, AV
remains valuable if properly implemented. For one thing, when used in conjunction with reputation, the
possibility of false positives is appreciably diminished.
• Fortinet has a patent for Compact Pattern Recognition Language (CPRL) which does an emulation of
malware. The purpose of CPRL is to use AV not only for the detection of malware, but also to detect
Advanced Persistent Threats.
NFDF-74 36
Malware (continued)
• According to IBM X-Force, the United States dominates the scene by hosting nearly 43% of all
malicious links. The country with the second highest concentration malicious links is China, which hosts
around 11%, followed by Germany now hosting 8.3%.
• Non-targeted attacks still make up the majority of malware, which increased by 26% in 2014 per
Symantec. In fact, there were more than 317 million new pieces of malware created last year, meaning
nearly one million new threats were released into the wild each day.
• Malware is self-generating. Better than 95% of malware is created by botnets.
• Fortinet research noted ZeroAccess, Andromeda, Jeefo, Smoke, and Morto were five of the most active
botnets in 2013.
• Support for Microsoft’s popular Windows XP officially ended on April 8, 2014. Microsoft no longer
distributes security patches for the operating system, so any existing security vulnerabilities that are
found will not be patched. This gives malware hackers a large attack surface to exploit, hoping the
vulnerability will not be patched.
• In 2014, 1 in 1,126 Web sites were found with malware compared to 1 in 566 in 2013 according to
Symantec.
• In 2014, 20% of all Web site vulnerabilities were considered critical allowing cyber criminals the ability
to access users’ sensitive data, per Symantec.
Source: Frost & Sullivan analysis.
NFDF-74 37
Mobile Malware
• Differing definitions of “malware” make measuring mobile malware risk extremely difficult.
• Mobile users face a range of very real risks from ransomware, spyware, malicious apps and financial
malware.
• There were 168 mobile vulnerabilities disclosed in 2014, a 32% increase compared to 2013.
• According to Symantec, 84% of mobile vulnerabilities related to Apple iOS in 2014, compared with 11%
for Android, 4% for BlackBerry and 1% for Nokia.
• As of 2014, Symantec has identified more than 1 million apps that are classified as malware.
• Mobile devices can harbor malicious files that could be dangerous to traditional PCs. An example, a
user would pick up a malicious file on their phone, put it in Dropbox and then open it on their work
machine and become infected.
• In many ways, the term “mobile” is an arbitrary distinction—once a device gets connected to a network
it becomes vulnerable to some of the malware strains as PCs are.
• In the Motive Security Labs H1 2015 Malware Report, indicated that spyware disguised as adware for
PCs was attaching to smartphones as well.
• In the same study, Alcatel Lucent noted 80% of malware infections detected on mobile networks were
traced to Windows-based devices.
• G DATA closely monitors the mobile malware market. In Q1 2015, G DATA found more than 440,000
new Android malware strains. From the Q1 2015 Mobile Malware Report, G DATA also found that
mobile malware incidents increased by 6.4% from Q1 2014 to Q1 2015.
• Kaspersky Labs found a dramatic leap in mobile malware with reporting a 65% increase in mobile
malware from Q4 2014 to Q1 2015.
Source: Frost & Sullivan analysis.
Return to contents
NFDF-74 38
Market Trends in Public Vulnerabilities
NFDF-74 39
Vulnerabilities Reported by Year
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
497 537 519
624
728
0
100
200
300
400
500
600
700
800
2010 2011 2012 2013 2014
Vu
lnera
bilit
ies R
ep
ort
ed
Yearly Vulnerability Figures
Public Vulnerability Research Market: Yearly Reported Vulnerabilities, Global, 2010–2014
NFDF-74 40
Vulnerabilities Reported by Quarter
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
166 153
72
146
125
168
130
96
165 178
160
121 110
213
248
157
0
50
100
150
200
250
300
Vu
lnera
bilit
ies R
ep
ort
ed
Quarters
Public Vulnerability Research Market: Quarterly Reported Vulnerabilities, Global, 2011–2014
NFDF-74 41
Market Trends
• From January 1, 2014 through December 31, 2014, there were 7,903 vulnerabilities
assigned Common Vulnerabilities and Exposures (CVE) numbers.
• Many of these numbers were reserved in good faith. However, in certain cases, MITRE
will not be able to confirm the vulnerability and the CVE number is held in reservation.
However, roughly 85 percent of the vulnerabilities given a CVE number will be verified and
given a CVSS score.
• Frost & Sullivan recounts 728 publicly reported and verified vulnerabilities. Frost &
Sullivan only includes the vulnerabilities for which the NVD issued a public disclosure.
Publicly disclosed implies that the vendor and the disclosing agency make a joint
statement.
• HPE had the most verified vulnerabilities reported with 317 proving the veracity of the
HPE TippingPoint contributor program.
• Cyber-attacks are largely automated; the vast majority (roughly 80%) of vulnerabilities will
not be acted upon.
• IBM X-Force noted that the explosion in terms of the physical number of vulnerabilities
happened between 2004 and 2006.
Source: Frost & Sullivan analysis.
NFDF-74 42
Market Trends (continued)
• PAST: Customer demand drove vulnerability testing, but this factor has changed in recent years.
• PRESENT: Vulnerability testing is not an elective; companies must be able to mitigate persistent threat
environments. Compliance testing is becoming more requisite as The Affordable Care Act gains
traction, Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 takes hold, and international
markets adopt cyber defense practices. One example, the Basic Standard for Enterprise Internal
Control is mandated by the Chinese government (known as C-SOX, the Chinese equivalent of
Sarbanes-Oxley in the US).
• TRENDING: The Federal Government is observing NIST 800.53A, Rev.4. This standard establishes
precedence for continuous monitoring.
• The Top 20 Critical Security Controls (CSC) are vendor best practices designed to reduced the attack
surface.
• The Top Five CSC measures include: 1) Inventory of Authorized and Unauthorized Devices, 2)
Inventory of Authorized and Unauthorized Software, 3) Secure Configurations for Hardware and
Software on Mobile Devices, Laptops, Workstations, and Servers, 4) Continuous Vulnerability
Assessment and Remediation, and 5) Malware Defenses.
Source: Frost & Sullivan analysis.
NFDF-74 43
Vulnerability Disclosure
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis. N=728 vulnerabilities
Self-disclosure 10.1%
Third-party 89.9%
Public Vulnerability Research Market: Percentage of Reported Vulnerabilities by Disclosure Type Global, 2014
NFDF-74 44
Vulnerability Disclosure (continued)
• Self-disclosed vulnerabilities are vulnerabilities reported by the manufacturer of the application with the
vulnerability. Third-party sources are research laboratories or individuals who report vulnerabilities in an
application.
• Third-party sources continue to report the majority of vulnerabilities in 2014. Third-party sources
discovered and reported 89.9% of vulnerabilities in 2014.
• Self-disclosed reports accounted for 10.1% of reported vulnerabilities.
• Manufacturers have different mechanisms for reporting vulnerabilities. Most companies issue
advisories. Manufacturers like Microsoft and Oracle have a regular schedule for the release of
advisories.
• Security patches are the primary method of fixing security vulnerabilities in software. A patch is a piece
of software designed to update a computer program or its supporting data, to fix or improve it. This
includes security vulnerabilities and other bugs improving the usability and performance.
• Whether the exploit code or the vulnerability related to the patch was never made public is a matter of
semantics; a vulnerability exists.
• For PSIRTs, testing for vulnerabilities includes internal and external sources. Manufacturers continue to
contract out vulnerability testing to research laboratories. The need to test Web portals and applications
is now as important as testing network endpoints and configurations.
Source: Frost & Sullivan analysis.
NFDF-74 45
Vulnerability Disclosure (continued)
• Vulnerability disclosure is a double-edged sword. If a manufacturer discloses a vulnerability, there is an
admission of a procedural weakness in the production phase.
• However, almost any application or network, at some point, will display a vulnerability. Therefore,
vulnerability disclosure is part of the on-going obligation that a manufacturer has to the customer to
ensure integrity.
• When working with manufacturers, security vendors may decide not to disclose some vulnerabilities
because these vulnerabilities are unfixable or too expensive and resource-intensive to fix.
Source: Frost & Sullivan analysis.
NFDF-74 46
Individual 33.5%
Government 32.6%
Security vendor 30.4%
Anonymous 3.6%
Public Vulnerability Research Market: Percentage of Vulnerabilities by Organization Type, Global 2014
Vulnerability Disclosure by Organization Type
Note: All figures are rounded. The base year is 2014 Source: Frost & Sullivan analysis. N=728 vulnerabilities
NFDF-74 47
Vulnerability Disclosure by Organization Type
(continued)
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
244 237
221
26
0
50
100
150
200
250
300
Individual Government Security vendor Anonymous
Vu
lnera
bilit
ies R
ep
ort
ed
Disclosing Organization Type
Public Vulnerability Research Market: Reported Vulnerabilities by Organization Type Global, 2014
N=728 vulnerabilities
NFDF-74 48
Vulnerability Disclosure by Organization Type
(continued)
• Vulnerabilities disclosed by HPE and Secunia were counted as individual if indicated in
their disclosures. If the vulnerability was disclosed as Secunia Research or HPE, it was
counted in the Security vendor category.
• US-CERT vulnerabilities were counted with the Government category even if individually
reported.
• Individual attribution of vulnerability discovery was 33.5%. The security vendors found
30.4% of all publicly disclosed vulnerabilities.
• Twenty-six vulnerabilities were reported anonymously or the attribution is unknown.
Source: Frost & Sullivan analysis.
NFDF-74 49
Analysis of Vulnerabilities by Severity
NFDF-74 50
Medium-severity 51.5%
High-severity 30.6%
Critical-severity 12.4%
Low-severity 3.2%
NA 2.3%
Public Vulnerability Research Market: Percentage of Reported Vulnerabilities by Severity, Global 2014
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis
Critical Severity = 10.0
High-severity= 9.9 – 7.0
Medium-severity= 6.9 – 4.0
Low-severity= 3.9 – 0.0
N/A= Not Applicable
N=728 vulnerabilities
Analysis of Vulnerabilities by Severity
NFDF-74 51
Analysis of Vulnerabilities by Severity (continued)
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
44
36
6 4
1 1 1
0
5
10
15
20
25
30
35
40
45
50
HPE US-CERT VerisigniDefense
High-TechBridge
Secunia FortiGuardLabs
Rapid 7Cri
tical-
severi
ty V
uln
era
bilit
ies R
ep
ort
ed
Organization
Public Vulnerability Research Market: Critical-severity Vulnerabilities by Reporting Source Global, 2014
N=728 vulnerabilities
NFDF-74 52
Analysis of Vulnerabilities by Severity (continued)
• The National Vulnerability Database assigned a CVSS risk rating to each vulnerability that is useful in
assessing an organization’s risk and remediation priorities.
• In 2014, critical vulnerabilities rated 10.0 by the NVD amounted to 12.4% of vulnerabilities disclosed.
This was down from the 24.5% as reported by the same disclosing institutions in 2013. Critical-severity
vulnerabilities are potentially subject to code executions and denial-of-service attacks which can
hamper or shut down an organization’s operations.
• High-severity vulnerabilities accounted for 30.6% of disclosed vulnerabilities (down from 44.1% in
2013). These vulnerabilities are also at risk of denial-of-service attacks and file modifications in a
network’s infrastructure.
• Medium- and low-severity vulnerabilities represented 51.5% and 3.2% of vulnerabilities disclosed,
respectively.
Source: Frost & Sullivan analysis.
NFDF-74 53
Analysis of Vulnerabilities by Severity (continued)
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
104
226
375
23
0
50
100
150
200
250
300
350
400
Critical-severity High-severity Medium-severity Low-severity
Vu
lnera
bilit
ies R
ep
ort
ed
Threat Level
Public Vulnerability Research Market: Reported Vulnerabilities by Severity, Global, 2014
N=728 vulnerabilities
NFDF-74 54
Analysis of Vulnerabilities by Severity (continued)
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
148
51
25 14 13 13
7 2 2
0
20
40
60
80
100
120
140
160
Hig
h-s
everi
ty V
uln
era
bilit
ies R
ep
ort
ed
Organization
Public Vulnerability Research Market: Critical & High-severity Vulnerabilities by Reporting Source, Global, 2014
NFDF-74 55
Analysis of Vulnerabilities by Severity (continued)
• HPE found a combined 150 critical and high-severity vulnerabilities. All other disclosing
companies in public vulnerability accounted for 163 critical or high-severity vulnerabilities.
• However, in 2014, HPE had contributions from as many as 3,000 people that are
employees or individual reporters for the HPE TippingPoint platform.
• The US-CERT contributed 107 critical or high-severity vulnerabilities. In terms of critical or
high severities, High Tech Bridge reported 16, and VeriSign iDefense reported 23.
• BeyondTrust, for instance, quit public vulnerability reporting in 2013 because the
economics of the business did not support their participation. VUPEN Security no longer
has formal public advisories.
Source: Frost & Sullivan analysis.
NFDF-74 56
Analysis of Vulnerabilities by Severity (continued)
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
0
50
100
150
200
250
300
350
400
Critical-severity High-severity Medium-severity Low-severity
2013 153 275 177 19
2014 90 223 375 23
Vu
lnera
bilit
ies R
ep
ort
ed
Threat Level
Public Vulnerability Research Market: Reported Vulnerabilities by Severity, Global, 2013 and 2014
N=728 vulnerabilities
NFDF-74 57
Analysis of Vulnerabilities by Severity (continued)
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
0
20
40
60
80
100
120
140
Critical-severity High-severity Medium-severity Low-severity
Q1 17 32 54 4
Q2 26 76 98 11
Q3 30 75 129 7
Q4 17 40 93 4
Vu
lnera
bilit
ies R
ep
ort
ed
Threat Level
Public Vulnerability Research Market: Reported Vulnerabilities by Quarter and Severity, Global, 2014
N=728 vulnerabilities
NFDF-74 58
Analysis of Vulnerabilities by Severity (continued)
• In 2014 based on the total 728 vulnerabilities that Frost & Sullivan included in this report, 12.4% were
considered critical or the most severe, 30.6% experienced high severity while 51.4% of the
vulnerabilities were rated with medium severity.
• The percentage of critical vulnerabilities decreased in 2014 compared to 2013 by 41.2% from 153
critical vulnerabilities in 2013 to 90 in 2014. The critical vulnerabilities have decreased in 2014 because
patches are being applied earlier. According to Secunia, improved time-to-patch rate is helping to
improve vulnerability severity ratings.
• Automated systems are being used for continuous diagnostics do a better job to remediate critical
vulnerabilities. More organizations are making the transition from alert-based to analytics-enabled
resulting in improved security operation processes.
Source: Frost & Sullivan analysis.
NFDF-74 59
Comparison of Targeted Applications
NFDF-74 60
Targeted Applications
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
10
12
12
13
22
123
0 20 40 60 80 100 120 140
Adobe Reader
Adobe Flash Player
Apple QuickTime
Microsoft Windows
Oracle Java Runtime Environment
Microsoft Internet Explorer
Vulnerabilities Reported
Ap
pli
ca
tio
ns
Public Vulnerability Research Market: Applications with the Highest Number of Unique Confirmed Vulnerabilities, Global, 2014
N=728 vulnerabilities
NFDF-74 61
Analysis of Targeted Applications
• In 2014, the top five applications with the most vulnerabilities were Microsoft Internet Explorer, Oracle
Java Runtime Environment, Microsoft Windows, Apple QuickTime, Adobe Flash Player and Reader.
• The biggest year-over-year leap was for Microsoft Internet Explorer where 123 vulnerabilities were
found in 2014 versus 73 vulnerabilities in 2013. All editions of Microsoft Internet Explorer from 6 thru 11
have been targeted.
o Internet Explorer is not easily found in Windows 10. It is there, just not upfront. Unless the browser
replacement, Microsoft Edge, is not as vulnerable, upgrades and new installs of Windows 10 might
reverse this trend and further confirm Microsoft's decision to build a new browser.
• There were 22 vulnerabilities associated with Java Runtime errors.
• Client-side applications, particularly Web browsers, contained the majority of reported vulnerabilities.
However, pertaining to vulnerabilities with Microsoft Internet Explorer specifically, it is hard to tell what is
cause, and what is effect. Internet Explorer is a ubiquitous business and personal tool. Intuitively, it
makes more sense to try to enter other data sources through the client-side rather than attack a
network directly.
• The problem is that since researchers are independently looking for vulnerabilities on their own, it is
possible that researchers are focusing on Internet Explorer because this is an application that is best
known in their research experience.
Source: Frost & Sullivan analysis.
NFDF-74 62
Top Targeted Types of Applications
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
12
20
25
44
44
59
72
75
92
138
0 20 40 60 80 100 120 140 160
Operating Systems
Router
Data Management
Network Management
Media Application
Web application
Active X
Business Application
Server
Web Browser
Vulnerabilities Reported
Ap
pli
cati
on
Typ
e
Public Vulnerability Research Market: Types of Applications with the Highest Number of Unique Confirmed Vulnerabilities, Global, 2014
N=728 vulnerabilities
NFDF-74 63
Disclosing Institutions: Web Browser Vulnerabilities
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
122
11 4 1
0
20
40
60
80
100
120
140
HPE Verisign US-CERT Symantec
Vu
lnera
bil
itie
s R
ep
ort
ed
Organization
Public Vulnerability Research Market: Web Browser Vulnerabilities by Reporting Source, Global, 2014
N=728 vulnerabilities
NFDF-74 64
Disclosing Institutions: Media Applications Vulnerabilities
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
25
10
4
3 2
0
5
10
15
20
25
30
HPE Verisign High Tech Bridge US-CERT Secunia
Vu
lnera
bilit
ies R
ep
ort
ed
Organization
Public Vulnerability Research Market: Media Application Vulnerabilities by Reporting Source, Global, 2014
N=728 vulnerabilities
NFDF-74 65
Disclosing Institutions: Server Vulnerabilities
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
0
10
20
30
40
50
60
70
US-CERT HPE Fortiguard IBM
Vu
lnera
bil
itie
s R
ep
ort
ed
Organization
Public Vulnerability Research Market: Server Vulnerabilities by Reporting Source, Global, 2014
N=728 vulnerabilities
NFDF-74 66
Disclosing Institutions: Business Applications
Vulnerabilities
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
34
28
4 3 3
2 1
0
5
10
15
20
25
30
35
40
HPE US-CERT High-TechBridge
VerisigniDefense
Core Security IBM ISS Secunia
Vu
lnera
bilit
ies R
ep
ort
ed
Organization
Public Vulnerability Research Market: Business Applications Vulnerabilities by Reporting Source, Global, 2014
N=728 vulnerabilities
NFDF-74 67
Analysis of Targeted Applications by Type
• For the past few years most of the participating public vulnerability research firms made the observation
that vulnerabilities have been migrating toward the Web and toward Web-based applications. In 2014
this observation still holds true, as Frost & Sullivan found 197 vulnerabilities (or 27.1% of all
vulnerabilities) directly related to Web applications.
• The Web browser was the most targeted application within Web applications with 138 discovered
vulnerabilities. Web-based applications accounted for 59 vulnerabilities.
• The Web browser is especially problematic. The most current available Microsoft Web browser is
Microsoft Internet Explorer (IE) version 11. IEv6 through IEv11 are largely backward and forward
compatible, however, largely is the operative word. In many cases, an application in IEv9 is not
compatible with IEv11. If an application based on an IE9 browser will function in IEv11, the update to
the newest browser will likely not be undertaken by organizations that depend on the IEv9-supported
applications.
• Even without compelling reasons, many times individuals will not go through the process of updating
browsers. This can have deleterious effects because the patch priorities will go to the most recent
browser edition (this applies to Google Chrome and Mozilla Firefox as well).
• The Oracle Java Runtime environment is used in both business and media applications. Vulnerabilities
were found in memory corruption buffers, color convert, drag-and-drop, and in the sandbox bypass.
Source: Frost & Sullivan analysis.
NFDF-74 68
Analysis of Targeted Applications by Type (continued)
• Other business applications found to have vulnerabilities include IBM Lotus Notes and data analytics
SPSS Modeler, Novell GroupWise Messenger, Microsoft Word, and Hewlett-Packard Application
Lifecycle Management.
• The media application category includes Adobe Reader, Flash Player, and Shockwave Player. Adobe
was credited with 16 critical-high severity vulnerabilities and eight were rated with medium-severity.
• Aside from Adobe media applications, other highly targeted media applications include Apple
QuickTime. RealNetworks RealPlayer was found to have only one vulnerability by public vulnerability
disclosing firms.
• Industrial control systems (ICS) application vulnerabilities are growing due to the evolution of these
systems including standard operating system platforms, connectivity to corporate LANs and the world-
wide-web. The result is legacy systems and component devices are being exposed to modern
external threats with weak or non-existent security mechanisms in place. The risk to ICS is gradually
being addressed, but not nearly fast enough to protect from cyber attacks.
• Industrial control software framework component had 24 discovered vulnerabilities.
Source: Frost & Sullivan analysis.
NFDF-74 69
Analysis of Targeted Applications by Type
(continued)
• There were six vulnerabilities found on IP/Security cameras.
• Eight vulnerabilities were found on a Universal plug-and-play software development kit (SDK).
Unfortunately, the plug-and-play SDK is found in over 200 products.
• Security management software from McAfee, Cisco, Symantec, HPE and more had 53 confirmed
application vulnerabilities taking place on servers, gateway and various security appliances on
networks.
• Web content management systems, or better known as CMS accounted for 29 of Frost & Sullivan’s
reported application vulnerabilities. Today, the most popular Web CMS platforms: WordPress, Joomla
and Drupa account for 75% of the market, and it is common for one or more to be included as a
standard feature of web hosting services.
• CMS platforms also have security issues. WordPress security plugins found that 73% of all WordPress
installations studied had unpatched vulnerabilities that could be detected with a freeware vulnerability
scanner. Cybercriminals know that there are large numbers of unpatched installations on the so they
focus heavily on CMS-based sites.
• In the realm of public vulnerabilities, there were five found vulnerabilities affecting social media.
Source: Frost & Sullivan analysis.
Analysis of Targeted Applications by Type (continued)
NFDF-74 70
Microsoft Internet Explorer 89.1%
Mozilla Firefox 5.1%
Google Chrome 3.6%
Apple Safari 2.2%
Public Vulnerability Research Market: Percent of Reported Vulnerabilities by Web Browser Type, Global, 2014
Targeted Web Browser Type
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis. N=728 vulnerabilities
NFDF-74 71
Targeted Web Browser Type (continued)
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
89.1%
5.1% 3.6% 2.2%
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
90.0%
100.0%
Microsoft InternetExplorer
Mozilla Firefox Google Chrome Apple Safari
Vu
lnera
bilit
ies R
ep
ort
ed
Web Browser
Public Vulnerability Research Market: Reported Web Browser Vulnerabilities, Global, 2014
N=728 vulnerabilities
NFDF-74 72
Analysis of Targeted Web Browser Type
• In 2014, Microsoft Internet Explorer had the most publicly reported vulnerabilities with 123. This was
radically up from 73 as reported in the 2013 study. Of the 123 IE vulnerabilities, 32 vulnerabilities could
still affect IEv6.
• Mozilla Firefox went from 12 vulnerabilities reported in 2013 to seven reported in 2014. Comparing
across the two years, whether Firefox browser is more securely configured, well-patched, less targeted,
or if a statistical anomaly occurred is unclear.
• Web browsers were 138 of 197 attributed to Web-based vulnerabilities.
Source: Frost & Sullivan analysis.
NFDF-74 73
Vulnerability Analysis
NFDF-74 74
Vulnerability Definitions
This research study references Common Weakness Enumeration (CWE) specifications to describe
vulnerability flaw types. Definitions of the most frequently occurring vulnerabilities in 2014 are as follows:
• Buffer errors - A memory buffer is a memory slot of a specific, allocated size. Hackers can assign
too much data in the memory buffer, which will cause data to spill into other memory slots, resulting in
application crashes or malfunctions.
• Improper input validation - Improper input validation occurs when a program accepts incorrectly
formatted data as valid user input. Attackers can then input data that the program cannot handle,
causing the application to crash or act improperly.
• Resource management errors - These errors occur when a program does not limit the amount of
resources, such as memory or processing power, that it uses. Attackers can then use up all the
system’s resources to block system access by legitimate users.
• Numeric errors - Many programs must be able to conduct precise mathematical calculations. When
programs do not accurately handle numbers, such as when rounding errors or changing number
signs, the program’s accuracy will be compromised.
• Cross-site scripting (XSS) - Cross-site scripting occurs when a Web site does not validate or protect
a user’s data before passing it to another user. Attackers can use this high-speed malware on Web
pages.
• Permissions, privileges, and access - Errors relating to permissions, privileges, and access occur
when a program provides too much access or rights to unauthorized parties.
Source: National Vulnerability Database. Common Weakness Enumeration. http://nvd.nist.gov/cwe.cfm#cwes; Frost & Sullivan.
NFDF-74 75
Vulnerability Definitions (continued)
• Code injection - Code injection occurs when a third-party code infiltrates a program’s legitimate code.
This type of vulnerability allows attackers to control and manipulate a system.
• SQL injection - SQL injection enables attackers to execute code and control a database in an
unauthorized manner. Vulnerabilities in Web sites or Web applications enable the attacker to inject
code into the database, which allows the user to control the system.
• Cryptographic issues - Cryptography is a set of algorithms that render data indecipherable to
unauthorized users. Authorized users are provided with the key to decrypt and read the data. These
systems may be vulnerable to attacks that bypass or obtain unauthorized access to the key.
• CSRF - Cross-site request forgeries enable attackers to act as a particular end user and perform
unauthorized actions. CSRF attacks rely on authorization and authentication data that has been saved
by a user's browser to perform actions under the user's approval.
• Authentication issues - Businesses rely on authentication systems to confirm user identity and
determine the appropriate level of access. Vulnerabilities may exist that allow users to bypass or fool
authentication systems and gain unauthorized access.
Source: National Vulnerability Database. Common Weakness Enumeration. http://nvd.nist.gov/cwe.cfm#cwes; Frost & Sullivan.
NFDF-74 76
Vulnerabilities Reported by Flaw Type 2013
Note: All figures are rounded. Source: Frost & Sullivan analysis.
1 1 1 1 2
7 8 8 8 10 10
13 18
21 24
28 29
41 42
53 140
158
0 20 40 60 80 100 120 140 160 180
Redirection unwanted siteFormat string
Race conditionsConfiguration
Design errorCredentials management
Cryptographic issuesAuthentication issues
OtherInformation leak/disclosure
OS command injectionsNumeric errorsPath traversal
Permissions, privileges, and access controlInput validation
Cross-site request forgery (CSRF)SQL injection
Resource management errorsCode injection
Cross-site scripting (XSS)Insufficient informationBuffer overflow errors
Vulnerabilities Reported
Fla
w T
yp
e
Public Vulnerability Research Market: Reported Vulnerabilities by Top Flaw Type, Global, 2013
NFDF-74 77
Vulnerabilities Reported by Flaw Type (For 2014)
Note: All figures are rounded. Source: Frost & Sullivan analysis.
2 3
6 6
9 13 14 16 17
22 25
28 32 32
35 35
42 44
78 170
0 20 40 60 80 100 120 140 160 180
Unrestricted Upload of FileCommand Injection
Resource manager errorsNumeric errors
OtherAuthentication issues
OS command injectionsCredentials management
Cryptographic issuesCross-site request forgery (CSRF)
Information exposureSQL Injection
Resource management errorsCode injectionPath traversal
Insufficient informationPermissions, privileges, and access control
Input validationCross-site scripting (XSS)
Buffer overflow errors
Vulnerabilities Reported
Fla
w T
yp
e
Public Vulnerability Research Market: Reported Vulnerabilities by Top Flaw Type, Global, 2014
NFDF-74 78
Disclosing Institutions: Buffer Overflow Errors
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
125
14 13 13 5
0
20
40
60
80
100
120
140
HPE Verisign iDefense US-CERT Core Security Other
Vu
lnera
bilit
ies R
ep
ort
ed
Organization
Public Vulnerability Research Market: Reported Buffer Overflow Errors by Reporting Source, Global, 2014
N=728 vulnerabilities
NFDF-74 79
Disclosing Institutions: Code Injection Errors
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
18
11
3
0
2
4
6
8
10
12
14
16
18
20
HPE US-CERT High Tech Bridge
Vu
lnera
bilit
ies R
ep
ort
ed
Organization
Public Vulnerability Research Market: Code Injection Errors by Reporting Source Global, 2014
N=728 vulnerabilities
NFDF-74 80
Top Impact Type
N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
Denial/Modification/ Unauthorized Access
66.2%
File modification 12.5% Unauthorized
disclosure 8.9%
Denial-of-service 4.1%
Unauthorized disclosure/modification
1.8%
Other 6.5%
Public Vulnerability Research Market: Percentage of Vulnerability Reports by Associated Impacts, Global, 2014
NFDF-74 81
Top Impact Types (continued)
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
HPE 55.2%
US-CERT 26.1%
VeriSign iDefense 5.2%
High-Tech Bridge 4.1%
Core Security 3.5%
Fortiguard 0.8%
Secunia 0.8%
IBM ISS 0.4%
Other 3.7%
Public Vulnerability Research Market: Percentage of Denial-of-Service/File Modification/Unauthorized Access Impacts by Reporting Source, Global, 2014
N=728 vulnerabilities
NFDF-74 82
Analysis of Impact Types
• The NVD was the final authority used to report the impacts in the tables.
• Buffer overflow errors were the most common vulnerability flaw in 2013 and remained so
in 2014. HP found 125 incidents of buffering errors in 2014, followed by the Verisign
which found 14 vulnerabilities related to buffering errors.
• Interestingly, the NVD determined there were 136 vulnerabilities where a known
vulnerability flaw could not be ascribed to a potential exploit.
• Cross-site scripting (XSS) (78 vulnerabilities), input validation (44 vulnerabilities), and
code injection (32 vulnerabilities) were the next most common vulnerability flaws.
• If a vulnerability was found, 66.2% percent of the time the impact was likely to be
exploited to deny service, modify files and allow unauthorized access (482 vulnerabilities
could be subject to all three impacts). This could be classified as a jailbreak vulnerability.
• HPE found 55.2 percent of all of the jailbreak vulnerabilities discovered by public
vulnerability reporting organizations.
Source: Frost & Sullivan analysis.
NFDF-74 83
Competitive Analysis
NFDF-74 84
Competitive Analysis Verified Vulnerabilities
N=728 vulnerabilities
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
HPE 43.5%
US-CERT 35.3%
High-Tech Bridge 7.4%
Verisign 3.7%
Core Security 2.7%
FortiGuard Labs 1.9%
IBM ISS 1.2%
Secunia 1.0%
Other 3.2%
Public Vulnerability Research Market: Market Share for Verified and Reported Vulnerabilities by Disclosing Source, Global, 2014
NFDF-74 85
Competitive Analysis Verified Vulnerabilities (continued)
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
317
257
54
27 20 14 9 7 23
0
50
100
150
200
250
300
350
HPE US-CERT High-TechBridge
VerisigniDefense
CoreSecurity
FortiGuardLabs
IBM ISS Secunia Other
Vu
lnera
bilit
ies R
ep
ort
ed
Organization
Public Vulnerability Research Market: Verified Reported Vulnerabilities by Source, Global, 2014
N=728 vulnerabilities
NFDF-74 86
Competitive Analysis Verified Vulnerabilities (continued)
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
0
50
100
150
200
250
300
350
HPE US-CERT SecuniaHigh-Tech
BridgeIBM ISS
CoreSecurity
VerisigniDefense
FortiGuardLabs
Other
2013 249 155 94 52 25 22 18 7 2
2014 317 257 7 54 9 20 27 14 23
Vu
lnera
bilit
ies R
ep
ort
ed
Organization
Public Vulnerability Research Market: Total Verified Reported Vulnerabilities by Source, Global, 2013 and 2014
NFDF-74 87
Competitive Analysis Verified and Unverified Vulnerabilities
Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.
343
282
54
28 20 18 8 8
0
50
100
150
200
250
300
350
400
HPE US-CERT High-TechBridge
VerisigniDefense
Core Security FortiGuardLabs
Secunia IBM ISS
Vu
lnera
bilit
ies R
ep
ort
ed
Organization
Public Vulnerability Research Market: Verified and Unverified Reported Vulnerabilities by Source, Global, 2014
N=728 vulnerabilities
NFDF-74 88
Competitive Analysis (continued)
• For statistical purposes, Frost & Sullivan uses only verified vulnerabilities in the formal
analysis.
• This is not meant to cast aspersions on unverified vulnerabilities. The Frost & Sullivan definition of a
verified vulnerability occurs when a vulnerability is issued a CVSS temporal score by NVD. Worth
noting, the CVSS score represented in an advisory does not always match the final score issued by
NVD.
• The most likely reason a vulnerability remains unverified is that the NVD could not prove a
vulnerability exists. Either there was little exploit code provided or the vulnerability could not be
replicated in the lab.
• Another possibility is that the vulnerability has not been tested. By the time a vulnerability becomes
public, usually within six months, a CVSS score is issued—but there are occasions when this takes
longer.
• Vulnerability reporting by an individual company tends to vacillate from year to year. In
2014, HPE reported the most verified and unverified vulnerabilities with 343. In 2013, that
number was down to 286; however, in 2012, the number of verified vulnerabilities was
249.
• In terms of verified vulnerabilities in 2014, US-CERT follows with 257, and High-Tech
Bridge is next with 54. Source: Frost & Sullivan analysis.
NFDF-74 89
The Status Of Public Vulnerability Reporting
NFDF-74 90
The Status of Public Vulnerability Reporting
• The concept of public vulnerability reporting is rapidly fading.
• In 2013, BeyondTrust and VUPEN discontinued their public vulnerability reporting practices. Apparently,
IBM ISS and Fortinet Labs have dedicated fewer resources to the practice.
• Understand that this does not mean that there is less vulnerability research—far from it. The majority of
vulnerability incidents detected actually make it to the frontlines of perimeter defenses.
• In vulnerability management, companies like Tenable Network Security, Qualys, and Beyond Security
have extensive vulnerability libraries.
• Furthermore, large endpoint protection and security management platforms like Intel Security (McAfee)
ePolicy Orchestrator and Cisco Advanced Malware Protection (AMP) uncover vulnerabilities.
• With Cisco Threat Grid and Open Threat Exchange (OTX) sponsored by Alien Vault, when any
appliance under these companies’ threat management network detected malware, the information is
shared with all of the appliances on the network.
• The relationships between PSIRT teams and security appliance teams continues to improve. Using a
hypothetical, if Rapid7 discovers a vulnerability with a Bank of America application, the odds of getting
detailed information about the threat conditions to Bank of America are better in 2015 then in 2014 (and
appreciably better than 2010-11).
Source: Frost & Sullivan analysis.
NFDF-74 91
The Status of Public Vulnerability Reporting (continued)
• Reports published by IBM, Symantec, and Cisco among others.
• The idea of public disclosure is connoted differently. The process involves a vulnerability discovery,
reporting to MITRE, and an agreed upon date to issue an advisory. Often that loop takes between
three-to-seven months to complete and intervals of more than a year are not uncommon.
• In the mid-2000s, “pay-for-discovery” was a fairly normal industry paradigm. Network professionals or
people passionate about coding could discover vulnerabilities and make some extra income.
• By 2014, HPE was more or less alone in this practice.
• Some legacy practices exist. Secunia (which was purchased by Flexera Software in September 2015)
uses public vulnerability disclosure to promote products they offer in vulnerability management, patch
management, and PC application protection.
• High-Tech Bridge uses its public vulnerability disclosure program to showcase its skill set in ethical
hacking and to call attention to its ImmuniWeb, Web scanning and Web application testing platform.
• Google is also radically changing the game. In July 2014, Google announced Project Zero.
o As a part of Project Zero, Google announced the formation of a dedicated team that would discover
and report vulnerabilities. In part, Google has a self-interest as Google has an Internet browser, and
its search tools are more effective in a more secure environment.
Source: Frost & Sullivan analysis.
NFDF-74 92
The Status of Public Vulnerability Reporting (continued)
• The project has received mixed reviews. In December 2014, Google reported several vulnerabilities in
Microsoft products. Microsoft felt that it had been unjustly singled out for unwarranted negative
attention.
• In February 2015, Google announced it would extend the discovery-disclosure cycle to 90 days and
would provide another two-week grace period if a company is actively working on patching its
vulnerabilities.
• HPE maintain its Pwn2Own contests. The Pwn2Own program is a high-spirited contest for ethical
hackers with cash-incentives (in 2013 Pwn2Own paid $850,000 in prizes).
• At different times, hackers were challenged to break biometric code, mobile OS, and selected software
kernels.
• HPE Zero Day Initiative (ZDI) still gets contributions from individual reporting software platform defects
and vulnerabilities. The individuals are still compensated.
• Many of the contributors have been with the program since 2010, and these researchers are
demonstrating proof-of-concept at the root-cause level and writing succinct, verifiable exploit code.
• Toward public vulnerability, HPE pulls in elements of Fortify, Pwn2Own, The HP ZDI, and TippingPoint.
• In October 2015, Trend Micro announced they are acquiring HP TippingPoint.
• According to Trend Micro, HPE and Trend Micro have also agreed to a strategic OEM that includes the
incorporation of select components of the next-generation intrusion prevention systems (NGIPS) into
HPE’s networking division.
Source: Frost & Sullivan analysis.
NFDF-74 93
Conclusions
NFDF-74 94
Conclusions
Source: Frost & Sullivan analysis.
3 Vulnerability research is expanding beyond network endpoints. Web
applications and browsers, malware, mobile malware, SCADA, and the
Internet of Things are becoming part of vulnerability research.
1
Many of the public vulnerability reporting firms felt that there were more,
but less severe vulnerabilities in 2014 than in 2013. At least in the
sampling Frost & Sullivan considered, there were more vulnerabilities that
were slightly less severe than the year before partly due to improved time-
to-patch rate is helping to improve vulnerability severity ratings.
2 Without exception, public vulnerability companies report improving
relations with the PSIRTs of major companies. This leads to better patch
management.
NFDF-74 95
Appendix
NFDF-74 96
Vulnerability Database Sources (for 2014)
• CORE Security Research
• FortiGuard Labs
• Hewlett-Packard Enterprise
• High-Tech Bridge
• IBM ISS
• National Vulnerability Database
• Secunia
• US-CERT
• Verisign iDefense
NFDF-74 97
List of Publications Cited in This Report
• Cisco 2014 Annual Security Report
• Cisco 2015 Annual Security Report
• Fortinet 2014 Threat Landscape Report
• HPE Cyber Risk Report 2014
• HPE Cyber Risk Report 2015
• IBM X-Force 2014 Mid-Year Trend and Risk Report
• IBM X-Force Threat Intelligence Quarterly 1Q 2014
• IBM X-Force Threat Intelligence Quarterly, 4Q 2014
• Secunia Vulnerability Review 2014
• Verizon Data Breach Investigations Report 2014
• Symantec Internet Security Threat Report 2015
• High-Tech Bridge Security Research Blog
• Motive Security Labs H1 2015 Malware Report
Source: Frost & Sullivan
NFDF-74 98
Legal Disclaimer
• Frost & Sullivan takes no responsibility for any incorrect information supplied to us by manufacturers or
users. Quantitative market information is based primarily on interviews and therefore is subject to
fluctuation. Frost & Sullivan research services are limited publications containing valuable market
information provided to a select group of customers. Our customers acknowledge, when ordering or
downloading, that Frost & Sullivan research services are for customers’ internal use and not for general
publication or disclosure to third parties. No part of this research service may be given, lent, resold or
disclosed to noncustomers without written permission. Furthermore, no part may be reproduced, stored
in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying,
recording or otherwise, without the permission of the publisher.
• For information regarding permission, write to:
Frost & Sullivan
331 E. Evelyn Ave. Suite 100
Mountain View, CA 94041
© 2014 Frost & Sullivan. All rights reserved. This document contains highly confidential information and is the sole property of Frost & Sullivan.
No part of it may be circulated, quoted, copied or otherwise reproduced without the written approval of Frost & Sullivan.
Return to contents
NFDF-74 99
The Frost & Sullivan Story
The Journey to Visionary Innovation
NFDF-74 100
The Frost & Sullivan Story
NFDF-74 101
Value Proposition: Future of Your Company & Career
Our 4 Services Drive Each Level of Relative Client Value
NFDF-74 102
Global Perspective
40+ Offices Monitoring for Opportunities and Challenges
NFDF-74 103
Industry Convergence
Comprehensive Industry Coverage Sparks Innovation Opportunities
Automotive &
Transportation
Aerospace & Defense Measurement &
Instrumentation
Information &
Communication Technologies
Healthcare Environment & Building
Technologies
Energy & Power
Systems
Chemicals, Materials
& Food
Electronics &
Security
Industrial Automation
& Process Control
Automotive
Transportation & Logistics
Consumer
Technologies
Minerals & Mining
NFDF-74 104
360º Research Perspective
Integration of 7 Research Methodologies Provides Visionary Perspective
NFDF-74 105
Implementation Excellence
Leveraging Career Best Practices to Maximize Impact
NFDF-74 106
Our Blue Ocean Strategy
Collaboration, Research and Vision Sparks Innovation