Public Vulnerability Research Market in 2014

The Evolving Threat Environment During the Internet of Things Era

NFDF-74 November 2015 Research Team

Lead Analyst Contributing Analyst Pamela Tufegdzic Chris Kissel Industry Analyst Industry Analyst ICT – Network Security ICT – Network Security

(248) 259-2053 (623) 910-7986 [email protected] [email protected]

Vice President of Research Research Director Michael Suby Frank Dickson VP of Research Research Director Stratecast/Frost & Sullivan ICT — Network Security

(720) 344-4860 (469) 387-0256 [email protected] [email protected]

NFDF-74 2 List of Exhibits

Section Slide Number Executive Summary 8 Market Overview 10 • Market Overview – Research Objectives 11 • Market Overview (continued) 12 • Market Overview—Best Practices Public Vulnerability Disclosure 17 • Market Overview—The Evolving Attacker 18 • Market Overview—Terminology and Definitions 19 • Market Overview—Key Questions This Insight Answers 22 Research Methodology 23 Cyber Threat Analysis and Reporting 26 Introduction to Cyber Threat Analysis and Reporting 27 The Internet of Things 28 The Internet of Things—(continued) 29

NFDF-74 3 List of Exhibits (continued)

Section Slide Number • SCADA 31 • Software―Java 33

• Malware 34

• Mobile Malware 37

Market Trends in Public Vulnerabilities 38

• Vulnerabilities Reported by Year 39

• Vulnerabilities Reported by Quarter 40

• Market Trends 41

• Vulnerability Disclosure 43

• Vulnerability Disclosure by Organization Type 46

• Analysis of Vulnerabilities by Severity 49

NFDF-74 4 List of Exhibits (continued)

Section Slide Number Comparison of Targeted Applications 59 • Targeted Applications 60 • Analysis of Targeted Applications 61 • Top Targeted Types of Applications 62 • Disclosing Institutions: Web Browser Vulnerabilities 63 • Disclosing Institutions: Media Applications Vulnerabilities 64 • Disclosing Institutions: Server Vulnerabilities 65 • Disclosing Institutions: Business Applications Vulnerabilities 66 • Analysis of Targeted Applications by Type 67 • Targeted Web Browser Type 70 • Analysis of Targeted Web Browser Type 72 Vulnerability Analysis 73 • Vulnerability Definitions 74 • Vulnerabilities Reported by Flaw Type (For 2013) 76 • Vulnerabilities Reported by Flaw Type (2014) 77

NFDF-74 5 List of Exhibits (continued)

Section Slide Number • Disclosing Institutions: Buffer Overflow Errors 78 • Disclosing Institutions: Code Injection Errors 79 • Top Impact Type 80 • Analysis of Impact Types 82 Competitive Analysis 83 • Competitive Analysis Verified Vulnerabilities 84 • Competitive Analysis Verified and Unverified Vulnerabilities 87 Status of Public Vulnerabilities 89 Conclusions 93 • Certification 95 Appendix 96 • Vulnerability Database Sources (for 2014) 97 • List of Publications Cited in This Report 98 Legal Disclaimer 99

NFDF-74 6 List of Exhibits (continued)

Section Slide Number The Frost & Sullivan Story 100 • Value Proposition: Future of Your Company & Career 102 • Global Perspective 103 • Industry Convergence 104 • 360º Research Perspective 105 • Implementation Excellence 106 • Our Blue Ocean Strategy 107

NFDF-74 7 Executive Summary

Return to contents

NFDF-74 8 Executive Summary—Key Findings

• 728 software vulnerabilities were reported publicly by research organizations in 2014. o In 2014, critical vulnerabilities that rated 10.0 in severity amounted to 12.4% of vulnerabilities disclosed, which was down from the 24.5% reported in 2013. o High-severity vulnerabilities accounted for 30.6% of disclosed vulnerabilities (down from 44.1% percent in 2013). o Medium and low-severity vulnerabilities represented 51.5% and 3.2% of vulnerabilities disclosed, respectively in 2014. Highlighting that better security measures with improved time-to-patch rate is helping to improve vulnerability severity ratings in 2014. o HPE had the most verified vulnerabilities reported with 317 proving the veracity of the HPE Tipping Point contributor program. • Hewlett-Packard Enterprise (HPE) found 150 critical and high-severity vulnerabilities (vulnerabilities are labeled critical severity if they have a common vulnerability scoring system (CVSS) base score of 10.0 and rated high severity with a CVSS base score of 9.9 – 7.0). All other disclosing companies accounted for 163 high-severity vulnerabilities. • Buffer overflow errors were the most common vulnerability flaw in 2013 and remained so in 2014. HPE found 125 incidents of buffer overflow errors in 2014, followed by Verisign iDefense, which found 14 vulnerabilities related to buffer overflow errors. • In 2014, the top six applications with the most vulnerabilities were Microsoft Internet Explorer, Oracle Java Runtime Environment, Microsoft Windows, Adobe Flash Player, Apple QuickTime, and Adobe Reader. • Frost & Sullivan counted 197 vulnerabilities (or 27.1% of all vulnerabilities) directly related to Web applications. • SCADA vulnerabilities increased from 25 in 2013 to 33 in 2014. • Researchers are looking at more than just network-attached endpoints for vulnerabilities. Web applications and browsers, malware, mobile malware, SCADA, and the Internet of Things are increasingly scrutinized. • Legacy systems and software that are no longer supported are a major concern for IT departments. On April 14, 2014, Microsoft discontinued its technical support for Windows XP on most devices and all PCs. There are an estimated 300 million PCs actively running on XP.

Source: Frost & Sullivan analysis.

NFDF-74 9 Market Overview

NFDF-74 10 Research Objectives

Primary Objective Secondary Objectives

To acquire, record, and derive • To identify and promote prolific an insightful understanding reporters of vulnerabilities of Public Vulnerability Research from reliable vulnerability • To highlight and emphasize the vendors and research strongest work produced by laboratories in 2014 companies engaging in public vulnerability research reports

• To analyze the gathered vulnerability data for trends and common factors

Source: Frost & Sullivan analysis.

NFDF-74 11 Market Overview

• The following is both a study about software vulnerabilities and the companies that publicly disclose vulnerabilities. • A security vulnerability is any error in an IT system that can be exploited by an attacker to compromise the confidentiality or integrity of a system or to deny legitimate user access to a system. Other industry terms for security vulnerabilities include “software bug” and “flaw.” • In the past, the process by which the analysis of vulnerabilities was shared with third parties was subject to much debate, as full disclosure is the practice of making the details of security vulnerabilities public. o There is much debate in making vulnerabilities public because keeping vulnerabilities secret or not public keeps them out of the hands of hackers, but this assumes that hackers can’t discover vulnerabilities on their own. From the organization side, keeping vulnerabilities secret assumes organizations will spend time and money fixing secret vulnerabilities . Both assumptions have proven to be false. o Hackers have proven to be quite adept at discovering secret vulnerabilities. Full disclosure forces organizations to routinely patch their systems. • Organizations tend to treat vulnerabilities less as a software problem and more as a public relations (PR) problem. This is where full disclosure comes into play by making the PR problem more acute, organizations are then quick to patch vulnerabilities. o Naturally organizations receiving negative PR every time a vulnerability is made public quickly release a patch fixing the vulnerability in order to minimize the impact of negative PR. • Full disclosure of vulnerabilities helped shape the standardization of how vulnerabilities are tracked, managed and stored. Source: Frost & Sullivan analysis.

NFDF-74 12 Market Overview (Continued)

• Since 1999, the MITRE Corporation is responsible for certification and accreditation of the Common Vulnerabilities and Exposures (CVE), enabling standardization of how public vulnerabilities are tracked, managed and stored. • The MITRE Corporation (a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs) that provide innovative, practical solutions for some of the United States critical challenges) operates the National Cyber Security FFRDC to enhance cyber security and protect national information systems. o Funding for the MITRE Corporation comes from the National Cyber Security Division of the United States Department of Homeland Security. • The MITRE documentation defines CVE identifiers (also called CVE numbers, CVE-IDs and CVEs) as unique common identifiers for publicly known information-security vulnerabilities in publically released software packages. • In other words, the CVE is a dictionary of common names for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools and provide a baseline for evaluating the coverage of an organization’s security tools enabling a quick and accurate assessment of how to remediate vulnerabilities.

Source: Frost & Sullivan analysis.

NFDF-74 13 Market Overview (Continued)

• CVEs (vulnerabilities) are assigned by a CVE Numbering Authority (CNA); there are three primary types of CVE number assignments: o The MITRE Corporation functions as editor and primary CNA. o Various CNAs assign CVE entries for their own products (i.e. Microsoft, HPE, Oracle, etc.). o Red Hat (multinational software company providing open-source software products to the enterprise community) also provides CVE numbers for open source projects that are not a CNA. • CVEs are used by the Security Content Automation Protocol (SCAP - finds vulnerabilities and offers methods to define those findings in order to evaluate the possible impact). • CVEs are listed on MITRE’s system as well as the U.S. National Vulnerability Database (NVD). • NVD is the U.S. government repository of standards based vulnerability management data for SCAP. Utilizing SCAP this data enables automation of vulnerability management, security measurement and compliance. • The NVD is the CVE dictionary augmented with additional analysis, a database, and a fine-grained search engine, which makes the NVD a superset of CVE. • The NVD is synchronized with CVE such that any updates to any CVEs (vulnerabilities) appear immediately on the NVD.

Source: Frost & Sullivan analysis.

NFDF-74 14 Market Overview (Continued)

• The NVD uses the Common Vulnerability Scoring System (CVSS) Version 2, which is an open standard for assigning vulnerability impacts and is designed to convey vulnerability severity and help in determining urgency and priority of organizations’ responses.

• The NVD provides the following severity rankings per CVE-ID based on the CVSS, the system assigns a numeric value between 0 – 10, with higher scores representing greater severity:

o Vulnerabilities are labeled “Critical to High” severity if they have a CVSS score of 7.0 - 10.0.

o Vulnerabilities are labeled “Medium” severity if they have a CVSS score of 4.0 – 6.9.

o Vulnerabilities are labeled “Low” severity if they have a CVSS score of 0.0 – 3.9.

o Some vulnerabilities may not have enough information to assign a CVSS score leaving it as a “Not Applicable or NA” ranking.

Source: Frost & Sullivan analysis.

NFDF-74 15 Market Overview (Continued)

• The organizations that are vulnerability disclosing institutions used within this report include: o Core Security, Fortinet, High-Tech Bridge, HPE, IBM, Secunia, US-CERT, and Verisign o Government reporting refers to vulnerabilities disclosed by the United States Computer Emergency Readiness Team (US-CERT). • The US-CERT is a government agency, but the other reporting organizations either sell security- related services or sell security devices. • In the last 36 months, BeyondTrust and VUPEN Security have dropped off from formal public vulnerability reporting. Core Security and Codenomicon Labs do not have a regular cadence for vulnerability reporting. (Codenomicon Labs is recognized for the initial discovery of the Heartbleed virus.) • Companies like Google and Yahoo will pay hackers upon discovery of vulnerabilities. However, the economics are not there to support vulnerability discovery from formal bounty programs. Ethical hackers still matter, but the goal is to demonstrate vulnerabilities in the context of a larger security platform. • Frost & Sullivan considers vulnerabilities that have been disclosed by public vulnerability reporting agencies—this pool of vulnerabilities totals 728 in 2014. o HPE had 318 verified, publicly reported vulnerabilities. o US-CERT had 282. o High-Tech Bridge had 54.

Source: Frost & Sullivan analysis.

NFDF-74 16 Market Overview—Best Practices Public Vulnerability Disclosing

• Companies that uncover and report the most vulnerabilities could be perceived as having the most able team of researchers. This perception on some levels validates the efficacy of their security tools. o On occasion, there are bounties offered to independent researchers or public vulnerability teams to discover vulnerabilities. For individual researchers, this is how they make their money. • IBM, HPE, High-Tech Bridge, Secunia, and FortiGuard Labs will wait until a vulnerability is vetted by the vendor and will continue to wait until a vendor is comfortable with an advisory before going public. • While well-intended, this practice does cause frustration to public vulnerability disclosing institutions. Vulnerabilities are initially reported to a Product Security Incident Response Team (PSIRT) team. If the PSIRT team is taxed with other obligations, does not internally test a vulnerability, or is particularly slow to act on a vulnerability, the public advisory stage is delayed. • Delays in the public advisory process could have a cascading effect. If a Linux kernel (as an example) is used in several applications, until that kernel is fixed at the level of the source code, several applications that are dependent on the kernel are potentially at risk.

Source: Frost & Sullivan analysis.

NFDF-74 17 Market Overview—The Evolving Attacker

• Unfortunately, the job of IT security continues to be unrelenting and more difficult. • Nation-states have conducted campaigns against other countries, manufacturing interests, nuclear facilities, and media outlets. Also, businesses like online gaming companies will employ agencies to create denial-of-service attacks against competitors in hopes of increasing their own attractiveness during peak hours. • Cyber gangs operate like gangsters in the past with their only impunity being the chance that they are caught. The criminal element can provide services that have the veneer of decency. Formal service level agreements (SLA) for everything are imaginable: cost to disrupt service, personal information gathering, credit card numbers, and social network hacking. • Basic exploit kits are available for purchase which means the technical expertise of a willing hacker is less of a mitigating factor for bad actors to enter the field. • Low-tech threats are increasing in volume, and high-tech threats are increasing in sophistication.

Source: Frost & Sullivan analysis.

NFDF-74 18 Market Overview—Terminology and Definitions

This research study references Common Weakness Enumeration (CWE) specifications to describe vulnerability flaw types. Definitions of the most frequently occurring vulnerabilities in 2014 are as follows: • Buffer errors - A memory buffer is a memory slot of a specific, allocated size. Hackers can assign too much data in the memory buffer, which will cause data to spill into other memory slots, resulting in application crashes or malfunctions. • Improper input validation - Improper input validation occurs when a program accepts incorrectly formatted data as valid user input. Attackers can then input data that the program cannot handle, causing the application to crash or act improperly. • Resource management errors - These errors occur when a program does not limit the amount of resources, such as memory or processing power, that it uses. Attackers can then use up all the system’s resources to block system access by legitimate users. • Numeric errors - Many programs must be able to conduct precise mathematical calculations. When programs do not accurately handle numbers, such as when rounding errors or changing number signs, the program’s accuracy will be compromised. • Cross-site scripting (XSS) - Cross-site scripting occurs when a Web site does not validate or protect a user’s data before passing it to another user. Attackers can use this high-speed malware on Web pages. • Permissions, privileges, and access - Errors relating to permissions, privileges, and access occur when a program provides excessive access or rights to unauthorized parties.

Source: National Vulnerability Database. Common Weakness Enumeration. http://nvd.nist.gov/cwe.cfm#cwes; Frost & Sullivan.

NFDF-74 19 Market Overview—Terminology and Definitions (continued)

• Code injection - Code injection occurs when a third-party code infiltrates a program’s legitimate code. This type of vulnerability allows attackers to control and manipulate a system.

• SQL injection - SQL injection enables attackers to execute code and control a database in an unauthorized manner. Vulnerabilities in Web sites or Web applications enable the attacker to inject code into the database, which allows the user to control the system.

• Cryptographic issues - Cryptography is a set of algorithms that render data indecipherable to unauthorized users. Authorized users are provided with the key to decrypt and read the data. These systems may be vulnerable to attacks that bypass or obtain unauthorized access to the key.

• CSRF - Cross-site request forgeries enable attackers to act as a particular end user and perform unauthorized actions. CSRF attacks rely on authorization and authentication data that has been saved by a user's browser to perform actions under the user's approval.

• Authentication issues - Businesses rely on authentication systems to validate user identity in order to grant appropriate levels of access. Vulnerabilities may exist that allow users to bypass or fool authentication systems and gain unauthorized or excessive access privileges.

Source: National Vulnerability Database. Common Weakness Enumeration. http://nvd.nist.gov/cwe.cfm#cwes; Frost & Sullivan.

NFDF-74 20 Market Overview—Terminology and Definitions (continued)

• The Microsoft Windows family of operating systems includes Windows ME 2000, Windows Server 2000, Windows XP 2001, Windows Server 2003, Windows Vista 2006, Windows 7 2009, Windows 8 2012, and Windows 10 2015.

• The Mac OS family of operating systems includes all versions of Mac OS X and Mac OS X Server. The Linux/Unix category of operating systems includes Linux and Unix-based operating systems including Android OS.

• Individual reporting includes security researchers who report vulnerabilities to security vendors for disclosure. These individuals are either credited by name or remain anonymous.

• Disclosure credit applied to security vendors includes organizations who have research laboratories that find, gather, and disclose vulnerabilities.

Source: Frost & Sullivan analysis.

NFDF-74 21 Market Overview—Key Questions This Insight Answers

Where does vulnerability research fit into the overall information and network security industry?

What are the major trends in the public vulnerability research market?

What type of vulnerabilities are reported the most?

Which applications and application types were prone to vulnerabilities in 2014?

What types of vulnerability errors resulted in severe impacts?

How are companies starting to report threats in malware and mobile malware?

Source: Frost & Sullivan analysis.

NFDF-74 22 Research Methodology

NFDF-74 23 Research Methodology

• Vulnerability information included in this study is determined through vendor briefings, Frost & Sullivan in-house research, vendor publications, and publicly reported vulnerabilities.

• The United States Computer Emergency Readiness Team (US-CERT) Vulnerability Notes are a primary source of vulnerability data in this Market Insight.

• The National Vulnerability Database (NVD) provides severity metrics and technical data. A vulnerability must have a unique Common Vulnerabilities and Exposures (CVE) or US-CERT number assigned to qualify for inclusion as a vulnerability in this report.

• Frost & Sullivan requires CVE numbers for report inclusion to eliminate the double reporting of vulnerabilities. This ensures that each vulnerability report counted represents a single vulnerability.

• Validation and qualitative information is based on analyst interviews with market participants and secondary research.

• The NVD provided Common Vulnerability Scoring System Version 2.0 (CVSS V2) scores and rankings for each vulnerability reported. (Note: CVSS V3 is being phased in).

Source: Frost & Sullivan analysis.

NFDF-74 24 Research Methodology (continued)

• CVSS is a widely accepted industry standard and is applied to most reported vulnerabilities.

• CVSS provides a base score that represents the innate characteristics of each vulnerability. This base score does not account for temporal and environmental conditions.

• In addition to the numeric CVSS scores, this report provides a severity ranking for each vulnerability mapping qualitative rankings to numeric CVSS scores.

• Government research, individuals, manufacturers, and security vendor vulnerability reports contributed to this Market Insight. The credit for the vulnerability is attributed to the disclosing organization. For example, the US-CERT may credit Rapid7 for discovering a vulnerability, but the US-CERT is given credit as the disclosing institution.

• This report also includes original vulnerability discoveries that are reported on research vendor Web sites. For a complete list of sources referred to in this insight, see Vulnerability Database Sources (for 2014).

• Research sections attributed to specific vendors are the result of briefings and publicly disclosed records. Specific quotes were sent back to the vendors to confirm accuracy.

• The formal reporting focuses on the base year 2014.

Source: Frost & Sullivan analysis.

NFDF-74 25 Cyber Threat Analysis and Reporting

Return to contents

NFDF-74 26 Introduction to Cyber Threat Analysis and Reporting

• The majority of this report is focused on software vulnerabilities that are publicly disclosed and given Common Vulnerability Scoring System (CVSS) v.2 scores.

• The research paradigms are changing for the types of companies that disclose vulnerabilities with vendors and how they share the results in a global platform.

• Increasingly, threat environments are perimeter-based. Hackers also are finding ways to glean information from social media Web sites, and are developing new strategies to create exploits in watering holes and in phishing attacks.

• Two developments—Heterogeneous Networking and the Internet of Things— are strengthening communications platforms. Unfortunately, the same new networking systems that create agility for businesses are also ways for hackers to access networking systems.

• Smartphones, tablets, and custom-made are devices that use the Internet for personal and commercial applications. Mobile represents a new frontier for apps developers and would-be attackers alike.

• Many of the companies that Frost & Sullivan is working with in the development of this report are producing excellent content in the context of all types of vulnerabilities.

Source: Frost & Sullivan analysis.

NFDF-74 27 The Internet of Things

• The Internet of Things (IoT) refers to devices that are embedded with sensors, software, electronics, and network connectivity that enables these devices to collect and exchange data or be controlled remotely across an existing network infrastructure.

• In 2015, Ericsson forecasted there would be 26 billion connected devices by 2020. While Cisco in 2013, has forecasted 30 billion connected devices by 2020, which most will be machine to machine (M2M) connections with big data analytics taking place.

• The new connected devices and systems include, but are not limited to, home and small office routers, home and commercial automation systems, networks with thin clients, purpose-built devices, and connected automobiles. As more physical devices become connected through the IoT, the diverse nature of these technologies gives rise to concern regarding security.

• IoT necessitates increased bandwidth and computational power. The era of cloud services is helping to accommodate.

• The cloud is fundamentally (but not always) a browser-based, off-premises technology. Advantages to cloud-based services include high bandwidth connections with the workload-hosting data centers, auto- provisioning computing, infinite storage, and mitigation of obsolescence as services and applications take the place of equipment purchases.

Source: Frost & Sullivan analysis.

NFDF-74 28 The Internet of Things (continued)

• Cloud security is a matter of open debate. Cloud computing and cloud storage vendors argue that cloud architecture does not add any additional security concerns.

• However, much of the communications from virtual workloads emanates from OpenStack software libraries. If there is a vulnerability discovered from OpenStack middleware, firmware, or software kernels, the potential to exploit a large number of servers exists.

• There are concept ideas that automobiles can be used to enhance the public Wi-Fi grid. Creating a network of vehicles that are all connected to the internet, provide free Wi-Fi to those in and around the vehicles and also collect data about the environment they’re moving in, is an idea that encapsulates what the IoT is trying to achieve.

• The internal electronic system in automobiles is the controller area network (CAN) bus. To manipulate auto electronics, the person devising an exploit must have physical access.

• However, any system that is tied to cellular networks or Wi-Fi, on-board navigation systems or GPS systems connected to the Internet as examples, is potentially vulnerable.

• The IoT continues to grow. According to HPE, IoT continues to capitalize on new opportunities in areas such as sensor monitoring in traffic, railways, cars, the home, the local power grid, embedded medical devices (including wearable sensors) and computing.

Source: Frost & Sullivan analysis. NFDF-74 29

The Internet of Things (continued)

• IBM X Force has identified the following points of protection and the types of security controls that should be implemented for IoT:

o A secure operating system with trusted firmware guarantees. This includes the ability to perform over-the network / over-the-air updates across untrusted connections.

o A unique identifier. While IPv6 is key to identifying “things” on networks, “things” also need a subscription to a trusted identity database.

o Strong authentication and access control. When users access the data on “things” or control them through a cloud service from the user’s mobile device, it’s crucial to ensure that the user is who he or she claims to be.

o Data privacy protection. The data that flows to and from “things” and that may be stored on “things” or their controlling devices can be sensitive.

o Strong application security. Vulnerabilities arise due to software bugs. Hardware manufacturers are often not experts in software development, including Web applications that may reside on the “thing,” or exist as a cloud portal and mobile apps, but using certified software may help alleviate software bugs. • The IBM model for the IoT is still a work in progress since the IoT, as a whole, is still evolving.

Source: Frost & Sullivan analysis.

NFDF-74 30 SCADA

• The Stuxnet attacks in June 2010 were game-changers against Supervisory Control and Data Acquisition (SCADA) systems. Stuxnet is widely believed to be a series of programming language attacks launched by US and Israeli government agencies against the Iranian nuclear facilities development platforms. Several research firms maintain the attacks were viral―the attacks expanded beyond Iranian facilities. • SCADA systems were once considered both low-risk and low-gain targets, but SCADA systems sit outside of traditional security walls. o Attacks were low-risk in the sense that SCADA systems were attached to machinery or automation sets and self-contained. They were low-gain in that self-contained systems did not include personal information. Nor did SCADA systems guard financial assets or intellectual property. o However, the Stuxnet attacks showed how nation-states can cause disruption. • Legacy SCADA systems have always offered supervisory control with being able to take action on remote locations through the use of various controls and mechanisms that then collect data to retrieve important information from remote devices. • In the current generation, most SCADA systems have adopted the Internet of Things technology. The use of open network protocols such as TLS, provides a more readily comprehensible and manageable security boundary than the diverse mix of proprietary network protocols typical of many decentralized SCADA systems. However, the linking of SCADA and IP systems creates more vulnerabilities.

Source: Frost & Sullivan analysis.

NFDF-74 31 SCADA (continued)

• Real-time analytics and use of virtualized computing, cloud, and non-cloud environments enable SCADA systems linked with the IoT technology to implement more complex control algorithms than are feasible to implement on traditional programmable logic controllers.

• The move from legacy SCADA systems to more standardized and automated solutions with the increased number of connections between SCADA systems, office networks, and the Internet has made them more vulnerable to cyber attacks. Industrial control vendors suggest approaching SCADA security like information security with a defense-in-depth strategy that leverages common IT practices.

• Part of the problem with public vulnerability disclosure in the SCADA space, is that PSIRTs for SCADA networks do not have the same degree of interaction with disclosing laboratories. SCADA PSIRTs are unfamiliar with the cycle of acknowledging vulnerabilities, remediation, patching, and then public disclosure.

• Frost & Sullivan’s research indicates that SCADA vulnerabilities increased from 25 in 2013 to 33 in 2014.

NFDF-74 32 Software―Java

• Java is the most commonly used computer programming language with use in all types of applications:

o Java is run on 97% enterprise desktops.

o In the US, Java is on 89% of all PCs.

o Three billion mobile phones use Java environments.

o Currently, there are nine million Java developers worldwide.

• Cisco reported Java exploits have decreased by 34%, as Java security improves and adversaries move to embrace new attack vectors. Exploits involving client-side vulnerabilities in Adobe Flash Player and Microsoft IE have taken the lead away from Java in 2014.

• However, Apple, Amazon and Google have restricted the use of Flash-style advertising due to the increase of malvertising forcing advertisers to turn to alternative technologies such as HTML5 or JavaScript for marketing purposes.

• Data from the National Vulnerability Database (NVD) shows a similar decline: NVD reported 309 Java vulnerabilities in 2013 and 253 new Java vulnerabilities in 2014.

• Cisco Security Research suggests that the decline in Java exploits can be tied partly to modern day versions of Java that automatically patch, while older and more vulnerable versions of the Java Runtime Environment are being blocked by default by browser vendors.

• Apple, as a precaution, disables old and vulnerable versions of Java and patches with automatic updates.

• The latest version of Java, Java 8, has stronger controls than previous releases. It is also more difficult to exploit with requiring human interaction, such as code signing and a user dialogue that asks the user to enable Java.

Source: Frost & Sullivan analysis.

NFDF-74 33 Malware

• Malware is short for “malicious software” - software that is intended to damage or disable computers and computer systems without the users consent.

• Malware continues to plague computer networks globally in 2014 with viruses, worms, Trojan horses, spyware and more.

• Point-of-sale (POS) security breaches were the biggest stories of 2014. The Identity Theft Resource Center recorded information on 761 data breaches across financial, business, educational, government and medical institutions. Some of the more notorious events include the Sony hack, malware attacks on Target, Staples, Dairy Queen, Michaels, and Home Depot that resulted in the theft of credit, debit card details and email addresses from POS systems.

• POS systems are migrating to the use of EMV (Europay, MasterCard, and Visa) Chips and PIN point-of- sale systems, which store their data on integrated circuits rather than magnetic stripes, although many EMV cards also have stripes for backward compatibility making cloning credit cards nearly impossible.

• In 2014 High-Tech Bridge observed ransomware attacks are on the rise, which is malware that extorts money from victims by holding users’ data or system access for ransom using asymmetric encryption algorithms.

• Ransomweb attacks can target Web application owners rather than individual end users by inserting code on vulnerable Web servers. These Web applications rely on databases to provide information including login credentials, which is then stored and encrypted without anyone noticing. This encrypted data will then be inaccessible to the data owner until the owner pays the ransom.

Source: Frost & Sullivan analysis.

NFDF-74 34 Malware (continued)

• According to Symantec, ransomware attacks grew 113% in 2014, driven by more than a 4,000% increase in crypto-ransomware attacks. • In 2013, crypto-ransomware accounted for a negligible percentage of all ransomware attacks (0.2%, or 1 in 500 instances). However, in 2014, crypto-ransomware was seen 45 times more frequently. o While crypto-ransomware predominately attacks devices running Windows, Symantec has seen an increase in versions developed for other operating systems. o Notably, the first piece of crypto-ransomware on mobile devices was observed on Android last year. • HPE reported in a recent report called, “Cyber Risk Report 2015” that the incidence of malware has escalated from 83 million collected malware samples to an estimated 140 million malware samples per the AV-Test.org. • Anti-virus (AV) is the formal security measure designed to prevent malware. In general, AV is held in lower esteem by security experts each year as attacks become more sophisticated. However, AV remains valuable if properly implemented. For one thing, when used in conjunction with reputation, the possibility of false positives is appreciably diminished. • Fortinet has a patent for Compact Pattern Recognition Language (CPRL) which does an emulation of malware. The purpose of CPRL is to use AV not only for the detection of malware, but also to detect Advanced Persistent Threats.

NFDF-74 35 Malware (continued)

• According to IBM X-Force, the United States dominates the scene by hosting nearly 43% of all malicious links. The country with the second highest concentration malicious links is China, which hosts around 11%, followed by Germany now hosting 8.3%. • Non-targeted attacks still make up the majority of malware, which increased by 26% in 2014 per Symantec. In fact, there were more than 317 million new pieces of malware created last year, meaning nearly one million new threats were released into the wild each day. • Malware is self-generating. Better than 95% of malware is created by botnets. • Fortinet research noted ZeroAccess, Andromeda, Jeefo, Smoke, and Morto were five of the most active botnets in 2013. • Support for Microsoft’s popular Windows XP officially ended on April 8, 2014. Microsoft no longer distributes security patches for the operating system, so any existing security vulnerabilities that are found will not be patched. This gives malware hackers a large attack surface to exploit, hoping the vulnerability will not be patched. • In 2014, 1 in 1,126 Web sites were found with malware compared to 1 in 566 in 2013 according to Symantec. • In 2014, 20% of all Web site vulnerabilities were considered critical allowing cyber criminals the ability to access users’ sensitive data, per Symantec.

Source: Frost & Sullivan analysis.

NFDF-74 36 Mobile Malware

• Differing definitions of “malware” make measuring mobile malware risk extremely difficult. • Mobile users face a range of very real risks from ransomware, spyware, malicious apps and financial malware. • There were 168 mobile vulnerabilities disclosed in 2014, a 32% increase compared to 2013. • According to Symantec, 84% of mobile vulnerabilities related to Apple iOS in 2014, compared with 11% for Android, 4% for BlackBerry and 1% for Nokia. • As of 2014, Symantec has identified more than 1 million apps that are classified as malware. • Mobile devices can harbor malicious files that could be dangerous to traditional PCs. An example, a user would pick up a malicious file on their phone, put it in Dropbox and then open it on their work machine and become infected. • In many ways, the term “mobile” is an arbitrary distinction—once a device gets connected to a network it becomes vulnerable to some of the malware strains as PCs are. • In the Motive Security Labs H1 2015 Malware Report, indicated that spyware disguised as adware for PCs was attaching to smartphones as well. • In the same study, Alcatel Lucent noted 80% of malware infections detected on mobile networks were traced to Windows-based devices. • G DATA closely monitors the mobile malware market. In Q1 2015, G DATA found more than 440,000 new Android malware strains. From the Q1 2015 Mobile Malware Report, G DATA also found that mobile malware incidents increased by 6.4% from Q1 2014 to Q1 2015. • Kaspersky Labs found a dramatic leap in mobile malware with reporting a 65% increase in mobile malware from Q4 2014 to Q1 2015. Source: Frost & Sullivan analysis.

NFDF-74 37 Market Trends in Public Vulnerabilities

Return to contents

NFDF-74 38 Vulnerabilities Reported by Year

Public Vulnerability Research Market: Yearly Reported Vulnerabilities, Global, 2010–2014

800 728 700 624 600 537 519 497 500

400

300

200 Vulnerabilities Reported Vulnerabilities

100

0 2010 2011 2012 2013 2014

Yearly Vulnerability Figures

Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 39 Vulnerabilities Reported by Quarter

Public Vulnerability Research Market: Quarterly Reported Vulnerabilities, Global, 2011–2014 300

248 250

213 200 178 166 168 165 160 157 Reported 153 146 150 130 125 121 110 96 100 72

Vulnerabilities Vulnerabilities 50

Quarters

Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 40 Market Trends

• From January 1, 2014 through December 31, 2014, there were 7,903 vulnerabilities assigned Common Vulnerabilities and Exposures (CVE) numbers. • Many of these numbers were reserved in good faith. However, in certain cases, MITRE will not be able to confirm the vulnerability and the CVE number is held in reservation. However, roughly 85 percent of the vulnerabilities given a CVE number will be verified and given a CVSS score. • Frost & Sullivan recounts 728 publicly reported and verified vulnerabilities. Frost & Sullivan only includes the vulnerabilities for which the NVD issued a public disclosure. Publicly disclosed implies that the vendor and the disclosing agency make a joint statement. • HPE had the most verified vulnerabilities reported with 317 proving the veracity of the HPE TippingPoint contributor program. • Cyber-attacks are largely automated; the vast majority (roughly 80%) of vulnerabilities will not be acted upon. • IBM X-Force noted that the explosion in terms of the physical number of vulnerabilities happened between 2004 and 2006.

Source: Frost & Sullivan analysis.

NFDF-74 41 Market Trends (continued)

• PAST: Customer demand drove vulnerability testing, but this factor has changed in recent years.

• PRESENT: Vulnerability testing is not an elective; companies must be able to mitigate persistent threat environments. Compliance testing is becoming more requisite as The Affordable Care Act gains traction, Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 takes hold, and international markets adopt cyber defense practices. One example, the Basic Standard for Enterprise Internal Control is mandated by the Chinese government (known as C-SOX, the Chinese equivalent of Sarbanes-Oxley in the US).

• TRENDING: The Federal Government is observing NIST 800.53A, Rev.4. This standard establishes precedence for continuous monitoring.

• The Top 20 Critical Security Controls (CSC) are vendor best practices designed to reduced the attack surface.

• The Top Five CSC measures include: 1) Inventory of Authorized and Unauthorized Devices, 2) Inventory of Authorized and Unauthorized Software, 3) Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, 4) Continuous Vulnerability Assessment and Remediation, and 5) Malware Defenses.

Source: Frost & Sullivan analysis.

NFDF-74 42 Vulnerability Disclosure

Public Vulnerability Research Market: Percentage of Reported Vulnerabilities by Disclosure Type Global, 2014

Self-disclosure 10.1%

Third-party 89.9%

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 43 Vulnerability Disclosure (continued)

• Self-disclosed vulnerabilities are vulnerabilities reported by the manufacturer of the application with the vulnerability. Third-party sources are research laboratories or individuals who report vulnerabilities in an application.

• Third-party sources continue to report the majority of vulnerabilities in 2014. Third-party sources discovered and reported 89.9% of vulnerabilities in 2014.

• Self-disclosed reports accounted for 10.1% of reported vulnerabilities.

• Manufacturers have different mechanisms for reporting vulnerabilities. Most companies issue advisories. Manufacturers like Microsoft and Oracle have a regular schedule for the release of advisories.

• Security patches are the primary method of fixing security vulnerabilities in software. A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes security vulnerabilities and other bugs improving the usability and performance.

• Whether the exploit code or the vulnerability related to the patch was never made public is a matter of semantics; a vulnerability exists.

• For PSIRTs, testing for vulnerabilities includes internal and external sources. Manufacturers continue to contract out vulnerability testing to research laboratories. The need to test Web portals and applications is now as important as testing network endpoints and configurations.

Source: Frost & Sullivan analysis.

NFDF-74 44 Vulnerability Disclosure (continued)

• Vulnerability disclosure is a double-edged sword. If a manufacturer discloses a vulnerability, there is an admission of a procedural weakness in the production phase. • However, almost any application or network, at some point, will display a vulnerability. Therefore, vulnerability disclosure is part of the on-going obligation that a manufacturer has to the customer to ensure integrity. • When working with manufacturers, security vendors may decide not to disclose some vulnerabilities because these vulnerabilities are unfixable or too expensive and resource-intensive to fix.

Source: Frost & Sullivan analysis.

NFDF-74 45 Vulnerability Disclosure by Organization Type

Public Vulnerability Research Market: Percentage of Vulnerabilities by Organization Type, Global 2014

Anonymous 3.6%

Individual Security vendor 33.5% 30.4%

Government 32.6%

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014 Source: Frost & Sullivan analysis.

NFDF-74 46 Vulnerability Disclosure by Organization Type (continued)

Public Vulnerability Research Market: Reported Vulnerabilities by Organization Type Global, 2014

300

244 250 237 221

200

150

100 Vulnerabilities Reported Vulnerabilities

50 26

0 Individual Government Security vendor Anonymous

Disclosing Organization Type

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 47 Vulnerability Disclosure by Organization Type (continued)

• Vulnerabilities disclosed by HPE and Secunia were counted as individual if indicated in their disclosures. If the vulnerability was disclosed as Secunia Research or HPE, it was counted in the Security vendor category. • US-CERT vulnerabilities were counted with the Government category even if individually reported. • Individual attribution of vulnerability discovery was 33.5%. The security vendors found 30.4% of all publicly disclosed vulnerabilities. • Twenty-six vulnerabilities were reported anonymously or the attribution is unknown.

Source: Frost & Sullivan analysis.

NFDF-74 48 Analysis of Vulnerabilities by Severity

NFDF-74 49 Analysis of Vulnerabilities by Severity

Public Vulnerability Research Market: Percentage of Reported Vulnerabilities by Severity, Global 2014

Low-severity NA 3.2% 2.3% Critical Severity = 10.0 High-severity= 9.9 – 7.0 Medium-severity= 6.9 – 4.0 Critical-severity Low-severity= 3.9 – 0.0 N/A= Not Applicable 12.4%

Medium- High-severity severity 30.6% 51.5%

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis

NFDF-74 50 Analysis of Vulnerabilities by Severity (continued)

Public Vulnerability Research Market: Critical-severity Vulnerabilities by Reporting Source Global, 2014

50 44 45 40 Reported 36 35 30 25

20 Vulnerabilities Vulnerabilities 15 10

severity severity 6 - 4 5 1 1 1 0

Critical HPE US-CERT Verisign High-Tech Secunia FortiGuard Rapid 7 iDefense Bridge Labs

Organization

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 51 Analysis of Vulnerabilities by Severity (continued)

• The National Vulnerability Database assigned a CVSS risk rating to each vulnerability that is useful in assessing an organization’s risk and remediation priorities. • In 2014, critical vulnerabilities rated 10.0 by the NVD amounted to 12.4% of vulnerabilities disclosed. This was down from the 24.5% as reported by the same disclosing institutions in 2013. Critical-severity vulnerabilities are potentially subject to code executions and denial-of-service attacks which can hamper or shut down an organization’s operations. • High-severity vulnerabilities accounted for 30.6% of disclosed vulnerabilities (down from 44.1% in 2013). These vulnerabilities are also at risk of denial-of-service attacks and file modifications in a network’s infrastructure. • Medium- and low-severity vulnerabilities represented 51.5% and 3.2% of vulnerabilities disclosed, respectively.

Source: Frost & Sullivan analysis.

NFDF-74 52 Analysis of Vulnerabilities by Severity (continued)

Public Vulnerability Research Market: Reported Vulnerabilities by Severity, Global, 2014 400 375

350

300

250 226

200

150

104 Vulnerabilities Reported Vulnerabilities 100

50 23

0 Critical-severity High-severity Medium-severity Low-severity Threat Level

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 53 Analysis of Vulnerabilities by Severity (continued)

Public Vulnerability Research Market: Critical & High-severity Vulnerabilities by Reporting Source, Global, 2014

160 148 140

120 Reported 100

60 51

Vulnerabilities Vulnerabilities 40 25 14 13 13 20 7

2 2 severity severity

- 0 High

Organization

Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 54 Analysis of Vulnerabilities by Severity (continued)

• HPE found a combined 150 critical and high-severity vulnerabilities. All other disclosing companies in public vulnerability accounted for 163 critical or high-severity vulnerabilities. • However, in 2014, HPE had contributions from as many as 3,000 people that are employees or individual reporters for the HPE TippingPoint platform. • The US-CERT contributed 107 critical or high-severity vulnerabilities. In terms of critical or high severities, High Tech Bridge reported 16, and VeriSign iDefense reported 23. • BeyondTrust, for instance, quit public vulnerability reporting in 2013 because the economics of the business did not support their participation. VUPEN Security no longer has formal public advisories.

Source: Frost & Sullivan analysis.

NFDF-74 55 Analysis of Vulnerabilities by Severity (continued)

Public Vulnerability Research Market: Reported Vulnerabilities by Severity, Global, 2013 and 2014 400

350

300

250

200

150

100 Vulnerabilities Reported Vulnerabilities

0 Critical-severity High-severity Medium-severity Low-severity 2013 153 275 177 19 2014 90 223 375 23 Threat Level

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 56 Analysis of Vulnerabilities by Severity (continued)

Public Vulnerability Research Market: Reported Vulnerabilities by Quarter and Severity, Global, 2014 140

120

100

40 Vulnerabilities Reported Vulnerabilities 20

0 Critical-severity High-severity Medium-severity Low-severity Q1 17 32 54 4 Q2 26 76 98 11 Q3 30 75 129 7 Q4 17 40 93 4 Threat Level

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 57 Analysis of Vulnerabilities by Severity (continued)

• In 2014 based on the total 728 vulnerabilities that Frost & Sullivan included in this report, 12.4% were considered critical or the most severe, 30.6% experienced high severity while 51.4% of the vulnerabilities were rated with medium severity. • The percentage of critical vulnerabilities decreased in 2014 compared to 2013 by 41.2% from 153 critical vulnerabilities in 2013 to 90 in 2014. The critical vulnerabilities have decreased in 2014 because patches are being applied earlier. According to Secunia, improved time-to-patch rate is helping to improve vulnerability severity ratings. • Automated systems are being used for continuous diagnostics do a better job to remediate critical vulnerabilities. More organizations are making the transition from alert-based to analytics-enabled resulting in improved security operation processes.

Source: Frost & Sullivan analysis.

NFDF-74 58 Comparison of Targeted Applications

NFDF-74 59 Targeted Applications

Public Vulnerability Research Market: Applications with the Highest Number of Unique Confirmed Vulnerabilities, Global, 2014

Microsoft Internet Explorer 123

Oracle Java Runtime Environment 22

Microsoft Windows 13

Apple QuickTime 12 Applications

Adobe Flash Player 12

Adobe Reader 10

0 20 40 60 80 100 120 140 Vulnerabilities Reported

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 60 Analysis of Targeted Applications

• In 2014, the top five applications with the most vulnerabilities were Microsoft Internet Explorer, Oracle Java Runtime Environment, Microsoft Windows, Apple QuickTime, Adobe Flash Player and Reader. • The biggest year-over-year leap was for Microsoft Internet Explorer where 123 vulnerabilities were found in 2014 versus 73 vulnerabilities in 2013. All editions of Microsoft Internet Explorer from 6 thru 11 have been targeted. o Internet Explorer is not easily found in Windows 10. It is there, just not upfront. Unless the browser replacement, Microsoft Edge, is not as vulnerable, upgrades and new installs of Windows 10 might reverse this trend and further confirm Microsoft's decision to build a new browser. • There were 22 vulnerabilities associated with Java Runtime errors. • Client-side applications, particularly Web browsers, contained the majority of reported vulnerabilities. However, pertaining to vulnerabilities with Microsoft Internet Explorer specifically, it is hard to tell what is cause, and what is effect. Internet Explorer is a ubiquitous business and personal tool. Intuitively, it makes more sense to try to enter other data sources through the client-side rather than attack a network directly. • The problem is that since researchers are independently looking for vulnerabilities on their own, it is possible that researchers are focusing on Internet Explorer because this is an application that is best known in their research experience.

Source: Frost & Sullivan analysis.

NFDF-74 61 Top Targeted Types of Applications

Public Vulnerability Research Market: Types of Applications with the Highest Number of Unique Confirmed Vulnerabilities, Global, 2014

Web Browser 138

Server 92

Business Application 75

Active X 72

Web application 59

Media Application 44

Application Type Application Network Management 44

Data Management 25

Router 20

Operating Systems 12

0 20 40 60 80 100 120 140 160 Vulnerabilities Reported

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 62 Disclosing Institutions: Web Browser Vulnerabilities

Public Vulnerability Research Market: Web Browser Vulnerabilities by Reporting Source, Global, 2014 140 122

120

100

Vulnerabilities Reported Vulnerabilities 20 11 4 1 0 HPE Verisign US-CERT Symantec

Organization

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 63 Disclosing Institutions: Media Applications Vulnerabilities

Public Vulnerability Research Market: Media Application Vulnerabilities by Reporting Source, Global, 2014 30

10 Vulnerabilities Reported Vulnerabilities

4 5 3 2

0 HPE Verisign High Tech Bridge US-CERT Secunia

Organization

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 64 Disclosing Institutions: Server Vulnerabilities

Public Vulnerability Research Market: Server Vulnerabilities by Reporting Source, Global, 2014 70

Vulnerabilities Reported Vulnerabilities 10

0 US-CERT HPE Fortiguard IBM

Organization

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 65 Disclosing Institutions: Business Applications Vulnerabilities

Public Vulnerability Research Market: Business Applications Vulnerabilities by Reporting Source, Global, 2014 40

35 34

30 28

15 Vulnerabilities Reported Vulnerabilities 10

4 5 3 3 2 1 0 HPE US-CERT High-Tech Verisign Core Security IBM ISS Secunia Bridge iDefense Organization

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 66 Analysis of Targeted Applications by Type

• For the past few years most of the participating public vulnerability research firms made the observation that vulnerabilities have been migrating toward the Web and toward Web-based applications. In 2014 this observation still holds true, as Frost & Sullivan found 197 vulnerabilities (or 27.1% of all vulnerabilities) directly related to Web applications. • The Web browser was the most targeted application within Web applications with 138 discovered vulnerabilities. Web-based applications accounted for 59 vulnerabilities. • The Web browser is especially problematic. The most current available Microsoft Web browser is Microsoft Internet Explorer (IE) version 11. IEv6 through IEv11 are largely backward and forward compatible, however, largely is the operative word. In many cases, an application in IEv9 is not compatible with IEv11. If an application based on an IE9 browser will function in IEv11, the update to the newest browser will likely not be undertaken by organizations that depend on the IEv9-supported applications. • Even without compelling reasons, many times individuals will not go through the process of updating browsers. This can have deleterious effects because the patch priorities will go to the most recent browser edition (this applies to Google Chrome and Mozilla Firefox as well). • The Oracle Java Runtime environment is used in both business and media applications. Vulnerabilities were found in memory corruption buffers, color convert, drag-and-drop, and in the sandbox bypass.

Source: Frost & Sullivan analysis.

NFDF-74 67 Analysis of Targeted Applications by Type (continued)

• Other business applications found to have vulnerabilities include IBM Lotus Notes and data analytics SPSS Modeler, Novell GroupWise Messenger, Microsoft Word, and Hewlett-Packard Application Lifecycle Management. • The media application category includes Adobe Reader, Flash Player, and Shockwave Player. Adobe was credited with 16 critical-high severity vulnerabilities and eight were rated with medium-severity. • Aside from Adobe media applications, other highly targeted media applications include Apple QuickTime. RealNetworks RealPlayer was found to have only one vulnerability by public vulnerability disclosing firms. • Industrial control systems (ICS) application vulnerabilities are growing due to the evolution of these systems including standard operating system platforms, connectivity to corporate LANs and the worldwide-web. The result is legacy systems and component devices are being exposed to modern external threats with weak or non-existent security mechanisms in place. The risk to ICS is gradually being addressed, but not nearly fast enough to protect from cyber attacks. • Industrial control software framework component had 24 discovered vulnerabilities.

Source: Frost & Sullivan analysis.

NFDF-74 68 Analysis of Targeted Applications by Type (continued)

• There were six vulnerabilities found on IP/Security cameras.

• Eight vulnerabilities were found on a Universal plug-and-play software development kit (SDK). Unfortunately, the plug-and-play SDK is found in over 200 products.

• Security management software from McAfee, Cisco, Symantec, HPE and more had 53 confirmed application vulnerabilities taking place on servers, gateway and various security appliances on networks.Analysis of Targeted Applications by Type • Web(continued) content management systems, or better known as CMS accounted for 29 of Frost & Sullivan’s reported application vulnerabilities. Today, the most popular Web CMS platforms: WordPress, Joomla and Drupa account for 75% of the market, and it is common for one or more to be included as a standard feature of web hosting services.

• CMS platforms also have security issues. WordPress security plugins found that 73% of all WordPress installations studied had unpatched vulnerabilities that could be detected with a freeware vulnerability scanner. Cybercriminals know that there are large numbers of unpatched installations on the so they focus heavily on CMS-based sites.

• In the realm of public vulnerabilities, there were five found vulnerabilities affecting social media.

Source: Frost & Sullivan analysis.

NFDF-74 69 Targeted Web Browser Type

Public Vulnerability Research Market: Percent of Reported Vulnerabilities by Web Browser Type, Global, 2014

Google Chrome Apple Safari 3.6% 2.2%

Mozilla Firefox 5.1%

Microsoft Internet Explorer 89.1%

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 70 Targeted Web Browser Type (continued)

Public Vulnerability Research Market: Reported Web Browser Vulnerabilities, Global, 2014 100.0% 89.1% 90.0%

80.0%

70.0%

60.0%

50.0%

40.0%

30.0%

Vulnerabilities Reported Vulnerabilities 20.0%

10.0% 5.1% 3.6% 2.2% 0.0% Microsoft Internet Mozilla Firefox Google Chrome Apple Safari Explorer Web Browser

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 71 Analysis of Targeted Web Browser Type

• In 2014, Microsoft Internet Explorer had the most publicly reported vulnerabilities with 123. This was radically up from 73 as reported in the 2013 study. Of the 123 IE vulnerabilities, 32 vulnerabilities could still affect IEv6. • Mozilla Firefox went from 12 vulnerabilities reported in 2013 to seven reported in 2014. Comparing across the two years, whether Firefox browser is more securely configured, well-patched, less targeted, or if a statistical anomaly occurred is unclear. • Web browsers were 138 of 197 attributed to Web-based vulnerabilities.

Source: Frost & Sullivan analysis.

NFDF-74 72 Vulnerability Analysis

NFDF-74 73 Vulnerability Definitions

Source: National Vulnerability Database. Common Weakness Enumeration. http://nvd.nist.gov/cwe.cfm#cwes; Frost & Sullivan.

NFDF-74 74 Vulnerability Definitions (continued)

• Code injection - Code injection occurs when a third-party code infiltrates a program’s legitimate code. This type of vulnerability allows attackers to control and manipulate a system.

• Authentication issues - Businesses rely on authentication systems to confirm user identity and determine the appropriate level of access. Vulnerabilities may exist that allow users to bypass or fool authentication systems and gain unauthorized access.

Source: National Vulnerability Database. Common Weakness Enumeration. http://nvd.nist.gov/cwe.cfm#cwes; Frost & Sullivan.

NFDF-74 75 Vulnerabilities Reported by Flaw Type 2013

Public Vulnerability Research Market: Reported Vulnerabilities by Top Flaw Type, Global, 2013

Buffer overflow errors 158 Insufficient information 140 Cross-site scripting (XSS) 53 Code injection 42 Resource management errors 41 SQL injection 29 Cross-site request forgery (CSRF) 28 Input validation 24

Permissions, privileges, and access control 21 Path traversal 18

Type Numeric errors 13 OS command injections 10 Information leak/disclosure 10 Flaw Other 8 Authentication issues 8 Cryptographic issues 8 Credentials management 7 Design error 2 Configuration 1 Race conditions 1 Format string 1 Redirection unwanted site 1 0 20 40 60 80 100 120 140 160 180 Vulnerabilities Reported

Note: All figures are rounded. Source: Frost & Sullivan analysis.

NFDF-74 76 Vulnerabilities Reported by Flaw Type (For 2014)

Public Vulnerability Research Market: Reported Vulnerabilities by Top Flaw Type, Global, 2014

Buffer overflow errors 170 Cross-site scripting (XSS) 78 Input validation 44 Permissions, privileges, and access control 42 Insufficient information 35 Path traversal 35 Code injection 32 Resource management errors

32 SQL Injection 28

Type Information exposure 25 Cross-site request forgery (CSRF) 22

Cryptographic issues 17 Flaw Credentials management 16 OS command injections 14 Authentication issues 13 Other 9 Numeric errors 6 Resource manager errors 6 Command Injection 3 Unrestricted Upload of File 2 0 20 40 60 80 100 120 140 160 180 Vulnerabilities Reported

Note: All figures are rounded. Source: Frost & Sullivan analysis.

NFDF-74 77 Disclosing Institutions: Buffer Overflow Errors

Public Vulnerability Research Market: Reported Buffer Overflow Errors by Reporting Source, Global, 2014

140 125

120

100

Vulnerabilities Reported Vulnerabilities 20 14 13 13 5 0 HPE Verisign iDefense US-CERT Core Security Other Organization

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 78 Disclosing Institutions: Code Injection Errors

Public Vulnerability Research Market: Code Injection Errors by Reporting Source Global, 2014 20 18

12 11 10

Vulnerabilities Reported Vulnerabilities 6

4 3 2

0 HPE US-CERT High Tech Bridge Organization

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 79 Top Impact Type

Public Vulnerability Research Market: Percentage of Vulnerability Reports by Associated Impacts, Global, 2014

File modification 12.5% Unauthorized disclosure 8.9%

Denial-of-service 4.1%

Unauthorized disclosure/modification 1.8% Denial/Modification/ Unauthorized Access 66.2% Other 6.5%

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 80 Top Impact Types (continued)

Public Vulnerability Research Market: Percentage of Denial-of-Service/File Modification/Unauthorized Access Impacts by Reporting Source, Global, 2014 US-CERT 26.1%

VeriSign iDefense 5.2%

High-Tech Bridge 4.1%

Core Security 3.5% Fortiguard 0.8% HPE 55.2% Secunia 0.8% IBM ISS 0.4% Other 3.7%

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 81 Analysis of Impact Types

• The NVD was the final authority used to report the impacts in the tables. • Buffer overflow errors were the most common vulnerability flaw in 2013 and remained so in 2014. HP found 125 incidents of buffering errors in 2014, followed by the Verisign which found 14 vulnerabilities related to buffering errors. • Interestingly, the NVD determined there were 136 vulnerabilities where a known vulnerability flaw could not be ascribed to a potential exploit. • Cross-site scripting (XSS) (78 vulnerabilities), input validation (44 vulnerabilities), and code injection (32 vulnerabilities) were the next most common vulnerability flaws. • If a vulnerability was found, 66.2% percent of the time the impact was likely to be exploited to deny service, modify files and allow unauthorized access (482 vulnerabilities could be subject to all three impacts). This could be classified as a jailbreak vulnerability. • HPE found 55.2 percent of all of the jailbreak vulnerabilities discovered by public vulnerability reporting organizations.

Source: Frost & Sullivan analysis.

NFDF-74 82 Competitive Analysis

NFDF-74 83 Competitive Analysis Verified Vulnerabilities

Public Vulnerability Research Market: Market Share for Verified and Reported Vulnerabilities by Disclosing Source, Global, 2014

High-Tech Bridge 7.4%

US-CERT Verisign 35.3% 3.7% Core Security 2.7%

FortiGuard Labs 1.9%

IBM ISS 1.2%

Secunia 1.0% HPE 43.5% Other 3.2% N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 84 Competitive Analysis Verified Vulnerabilities (continued)

Public Vulnerability Research Market: Verified Reported Vulnerabilities by Source, Global, 2014 350 317

300 257 250

200

150 Vulnerabilities Reported Vulnerabilities 100 54 50 27 20 23 14 9 7 0 HPE US-CERT High-Tech Verisign Core FortiGuard IBM ISS Secunia Other Bridge iDefense Security Labs Organization

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 85 Competitive Analysis Verified Vulnerabilities (continued)

Public Vulnerability Research Market: Total Verified Reported Vulnerabilities by Source, Global, 2013 and 2014 350

300

250

200

150

100 Vulnerabilities Reported Vulnerabilities 50

0 High-Tech Core Verisign FortiGuard HPE US-CERT Secunia IBM ISS Other Bridge Security iDefense Labs 2013 249 155 94 52 25 22 18 7 2 2014 317 257 7 54 9 20 27 14 23 Organization

Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 86 Competitive Analysis Verified and Unverified Vulnerabilities

Public Vulnerability Research Market: Verified and Unverified Reported Vulnerabilities by Source, Global, 2014 400

343 350

300 282

250

200

150

Vulnerabilities Reported Vulnerabilities 100 54 50 28 20 18 8 8 0 HPE US-CERT High-Tech Verisign Core Security FortiGuard Secunia IBM ISS Bridge iDefense Labs Organization

N=728 vulnerabilities Note: All figures are rounded. The base year is 2014. Source: Frost & Sullivan analysis.

NFDF-74 87 Competitive Analysis (continued)

• For statistical purposes, Frost & Sullivan uses only verified vulnerabilities in the formal analysis.

• This is not meant to cast aspersions on unverified vulnerabilities. The Frost & Sullivan definition of a verified vulnerability occurs when a vulnerability is issued a CVSS temporal score by NVD. Worth noting, the CVSS score represented in an advisory does not always match the final score issued by NVD.

• The most likely reason a vulnerability remains unverified is that the NVD could not prove a vulnerability exists. Either there was little exploit code provided or the vulnerability could not be replicated in the lab.

• Another possibility is that the vulnerability has not been tested. By the time a vulnerability becomes public, usually within six months, a CVSS score is issued—but there are occasions when this takes longer. • Vulnerability reporting by an individual company tends to vacillate from year to year. In 2014, HPE reported the most verified and unverified vulnerabilities with 343. In 2013, that number was down to 286; however, in 2012, the number of verified vulnerabilities was 249. • In terms of verified vulnerabilities in 2014, US-CERT follows with 257, and High-Tech Bridge is next with 54. Source: Frost & Sullivan analysis.

NFDF-74 88 The Status Of Public Vulnerability Reporting

NFDF-74 89 The Status of Public Vulnerability Reporting

• The concept of public vulnerability reporting is rapidly fading. • In 2013, BeyondTrust and VUPEN discontinued their public vulnerability reporting practices. Apparently, IBM ISS and Fortinet Labs have dedicated fewer resources to the practice. • Understand that this does not mean that there is less vulnerability research—far from it. The majority of vulnerability incidents detected actually make it to the frontlines of perimeter defenses. • In vulnerability management, companies like Tenable Network Security, Qualys, and Beyond Security have extensive vulnerability libraries. • Furthermore, large endpoint protection and security management platforms like Intel Security (McAfee) ePolicy Orchestrator and Cisco Advanced Malware Protection (AMP) uncover vulnerabilities. • With Cisco Threat Grid and Open Threat Exchange (OTX) sponsored by Alien Vault, when any appliance under these companies’ threat management network detected malware, the information is shared with all of the appliances on the network. • The relationships between PSIRT teams and security appliance teams continues to improve. Using a hypothetical, if Rapid7 discovers a vulnerability with a Bank of America application, the odds of getting detailed information about the threat conditions to Bank of America are better in 2015 then in 2014 (and appreciably better than 2010-11).

Source: Frost & Sullivan analysis.

NFDF-74 90 The Status of Public Vulnerability Reporting (continued)

• Reports published by IBM, Symantec, and Cisco among others. • The idea of public disclosure is connoted differently. The process involves a vulnerability discovery, reporting to MITRE, and an agreed upon date to issue an advisory. Often that loop takes between three-to-seven months to complete and intervals of more than a year are not uncommon. • In the mid-2000s, “pay-for-discovery” was a fairly normal industry paradigm. Network professionals or people passionate about coding could discover vulnerabilities and make some extra income. • By 2014, HPE was more or less alone in this practice. • Some legacy practices exist. Secunia (which was purchased by Flexera Software in September 2015) uses public vulnerability disclosure to promote products they offer in vulnerability management, patch management, and PC application protection. • High-Tech Bridge uses its public vulnerability disclosure program to showcase its skill set in ethical hacking and to call attention to its ImmuniWeb, Web scanning and Web application testing platform. • Google is also radically changing the game. In July 2014, Google announced Project Zero. o As a part of Project Zero, Google announced the formation of a dedicated team that would discover and report vulnerabilities. In part, Google has a self-interest as Google has an Internet browser, and its search tools are more effective in a more secure environment.

Source: Frost & Sullivan analysis.

NFDF-74 91 The Status of Public Vulnerability Reporting (continued)

• The project has received mixed reviews. In December 2014, Google reported several vulnerabilities in Microsoft products. Microsoft felt that it had been unjustly singled out for unwarranted negative attention. • In February 2015, Google announced it would extend the discovery-disclosure cycle to 90 days and would provide another two-week grace period if a company is actively working on patching its vulnerabilities. • HPE maintain its Pwn2Own contests. The Pwn2Own program is a high-spirited contest for ethical hackers with cash-incentives (in 2013 Pwn2Own paid $850,000 in prizes). • At different times, hackers were challenged to break biometric code, mobile OS, and selected software kernels. • HPE Zero Day Initiative (ZDI) still gets contributions from individual reporting software platform defects and vulnerabilities. The individuals are still compensated. • Many of the contributors have been with the program since 2010, and these researchers are demonstrating proof-of-concept at the root-cause level and writing succinct, verifiable exploit code. • Toward public vulnerability, HPE pulls in elements of Fortify, Pwn2Own, The HP ZDI, and TippingPoint. • In October 2015, Trend Micro announced they are acquiring HP TippingPoint. • According to Trend Micro, HPE and Trend Micro have also agreed to a strategic OEM that includes the incorporation of select components of the next-generation intrusion prevention systems (NGIPS) into HPE’s networking division.

Source: Frost & Sullivan analysis.

NFDF-74 92 Conclusions

NFDF-74 93 Conclusions

Many of the public vulnerability reporting firms felt that there were more, but less severe vulnerabilities in 2014 than in 2013. At least in the 1 sampling Frost & Sullivan considered, there were more vulnerabilities that were slightly less severe than the year before partly due to improved time- to-patch rate is helping to improve vulnerability severity ratings.

Without exception, public vulnerability companies report improving 2 relations with the PSIRTs of major companies. This leads to better patch management.

Vulnerability research is expanding beyond network endpoints. Web 3 applications and browsers, malware, mobile malware, SCADA, and the Internet of Things are becoming part of vulnerability research.

Source: Frost & Sullivan analysis.

NFDF-74 94 Appendix

NFDF-74 95 Vulnerability Database Sources (for 2014)

• CORE Security Research • Verisign iDefense

• FortiGuard Labs

• Hewlett-Packard Enterprise

• High-Tech Bridge

• IBM ISS

• National Vulnerability Database

• Secunia

• US-CERT

NFDF-74 96 List of Publications Cited in This Report

• Cisco 2014 Annual Security Report • Cisco 2015 Annual Security Report • Fortinet 2014 Threat Landscape Report • HPE Cyber Risk Report 2014 • HPE Cyber Risk Report 2015 • IBM X-Force 2014 Mid-Year Trend and Risk Report • IBM X-Force Threat Intelligence Quarterly 1Q 2014 • IBM X-Force Threat Intelligence Quarterly, 4Q 2014 • Secunia Vulnerability Review 2014 • Verizon Data Breach Investigations Report 2014 • Symantec Internet Security Threat Report 2015 • High-Tech Bridge Security Research Blog • Motive Security Labs H1 2015 Malware Report

Source: Frost & Sullivan

NFDF-74 97 Legal Disclaimer

• Frost & Sullivan takes no responsibility for any incorrect information supplied to us by manufacturers or users. Quantitative market information is based primarily on interviews and therefore is subject to fluctuation. Frost & Sullivan research services are limited publications containing valuable market information provided to a select group of customers. Our customers acknowledge, when ordering or downloading, that Frost & Sullivan research services are for customers’ internal use and not for general publication or disclosure to third parties. No part of this research service may be given, lent, resold or disclosed to noncustomers without written permission. Furthermore, no part may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the permission of the publisher.

• For information regarding permission, write to: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041

© 2014 Frost & Sullivan. All rights reserved. This document contains highly confidential information and is the sole property of Frost & Sullivan. No part of it may be circulated, quoted, copied or otherwise reproduced without the written approval of Frost & Sullivan.

NFDF-74 98 The Frost & Sullivan Story

The Journey to Visionary Innovation

Return to contents

NFDF-74 99 The Frost & Sullivan Story

NFDF-74 100 Value Proposition: Future of Your Company & Career Our 4 Services Drive Each Level of Relative Client Value

NFDF-74 101 Global Perspective 40+ Offices Monitoring for Opportunities and Challenges

NFDF-74 102 Industry Convergence Comprehensive Industry Coverage Sparks Innovation Opportunities

Automotive & Transportation

Aerospace & Defense Measurement & Consumer Information & Instrumentation Technologies Communication Technologies

Automotive Energy & Power Environment & Building Healthcare Transportation & Logistics Systems Technologies

Minerals & Mining Chemicals, Materials Electronics & Industrial Automation & Food Security & Process Control

NFDF-74 103 360º Research Perspective Integration of 7 Research Methodologies Provides Visionary Perspective

NFDF-74 104 Implementation Excellence Leveraging Career Best Practices to Maximize Impact

NFDF-74 105 Our Blue Ocean Strategy Collaboration, Research and Vision Sparks Innovation

NFDF-74 106