2018 Security Threat Report
Assessing Nine Years of Cyber Security Vulnerabilities and Exploits
Internal Audit, Risk, Business & Technology Consulting Executive Summary
Finding the right words to describe the magnitude of cyber security today is like trying to define the size and splendor of the Grand Canyon to someone unfamiliar with the natural wonder of the world. News of massive data breaches continues to make headlines. Among the largest breaches to date, one of the major consumer credit reporting agencies announced last year that hackers accessed its store of Social Security numbers, driver’s license data, birth dates and other personal information on more than 140 million consumers. A decade ago, such news would have been unimaginable. But sadly, over the last several months, disclosures of significant cyber security breaches have become routine as organizations increasingly rely on vulnerable digital technologies and third-party service providers.
At the same time, cyber criminals are becoming more In addition, we provide insight into the root causes creative and sophisticated. New cyber threats emerge underlying the vulnerabilities and practical guidance daily that put any number of business systems at on how companies can protect their information. risk, and companies face a monumental challenge to In these times of digital treachery, we hope you find keep pace with the threats and safeguard their data, this report useful. particularly their “crown jewels.” It’s no surprise that cyber security is the chief concern not only for CIOs and IT departments, but also for executive-level Key calls to action we define include: management and boards of directors.
This report aims to help organizations address and Strong permission and user access controls understand the cyber security landscape by exploring 01 and detailing the most common digital threats today. Since 2009, Protiviti security labs in the United States Employee security awareness have performed more than 500 in-depth security 02 scans on behalf of a broad range of organizations to test and assess their IT systems and infrastructure Patch management for cyber security risks. Keeping the organizations 03 anonymous, we have compiled and quantified the vulnerability and threat discoveries in our data, System configuration management offering insights and trends regarding the types of 04 threats organizations are most likely to face, the most frequently perpetrated cyber crimes, the recent Periodic penetration testing acceleration of attacks, and trends in cyber attacks by 05 industry and size, among other views.
protiviti.com 2018 Security Threat Report · 1 About Our Study
We compiled the data, analyses and trends presented • The data contains results from those of internet- in this report by reviewing information from security facing systems (external) as well as systems on the vulnerability scans of IT systems of more than 500 inside of the organization’s firewall (internal). organizations in a broad range of industries. Over a • Vulnerability data contained within this study relate nine-year period, Protiviti’s security experts were to network-related issues only. Web application engaged by these companies to scan their networks, vulnerabilities are not included. In addition, detect vulnerabilities, and help fix issues and establish vulnerability data related to the same missing patch proper mechanisms for monitoring and prevention. or outdated system versions have been removed, This data has been aggregated and analyzed into data with only the highest total remaining, to reduce points that we believe are both informative and useful repeat items. for those trying to safeguard their systems. • Vulnerability refers to a weakness in a computer Some important notes and definitions about the system that reduces its security posture. data in our report: • Exploit refers to vulnerabilities that have publicly • The scanned data from these engagements was not available exploit code as of the time of testing. validated – rather, it is the raw data from a leading vulnerability scanner that the Protiviti teams used. • Risk rankings generally follow the standard CVSS scoring mechanism: • The test data is from a broad range of industry organizations: –– Vulnerabilities are labeled “Low” severity if they –– Financial Services –– Technology, have a CVSS base score of 0.0-3.9. –– Healthcare and Life Media and –– Vulnerabilities are labeled “Medium” severity if Sciences Telecommunications they have a CVSS base score of 4.0-6.9. –– Consumer Products –– Manufacturing –– Vulnerabilities are labeled “High” severity if they and Services –– Education have a CVSS base score of 7.0-8.9. –– Energy and Utilities –– Vulnerabilities are labeled “Critical” severity if they have a CVSS base score of 9.0-10.0.
Key Definitions Vulnerability Weakness in a computer system that reduces its security posture
Internal 01 Exploit 02 Non-internet facing systems Vulnerabilities that have 05 publicly available exploit code
External Risk rankings 03 Internet facing systems 04 Follow CVSS scoring mechanism: • Critical: 9.0 - 10.0 • Medium: 4.0 - 6.9 • High: 7.0 - 8.9 • Low: 0.0 - 3.9
2 · Protiviti Key Takeaways/Trends and Analysis
Based on the wealth of data taken from nine years’ • Not surprisingly, the number of exploits and vulnera- worth of security scans and the trends they reveal, bilities organizations have experienced has risen over there are a number of key takeaways and learnings: time. Also of no surprise, the ports with the most vulnerabilities are Windows 445 and web 443. • Patching, both external and internal, remains a critical issue. In particular, application patching • Every few years, a major critical exploit comes along appears to be a more problematic issue than oper- that has a drastic impact on the security landscape. ating system patching. Just a few examples include MS08-067, Heartbleed, Shellshock (CVE-2014-6271), MS17-010 and MS15-034. • Organizations are still running a significant number of unsupported systems. • Just under half of the vulnerabilities identified during testing have a publicly available exploit. • There have been consistent challenges with SSL, especially with regard to weak ciphers and diver- sions. Though the raw number of issues hasn’t reached a high level, this is an area for organizations to monitor.
Organizations Included by Industry and Number of Scans/Tests Performed
Education
Consumer Products Energy & Utilities & Services 1%
7% 36% Manufacturing 8%
9% Technology, Media & Telecommunications
10%
29% Healthcare & Life Sciences Financial Services
protiviti.com 2018 Security Threat Report · 3 Call to Action
Regardless of an organization’s industry or size, devel- greatly reduce the effectiveness of technology, often oping, establishing and implementing five basic security very expensive, that the organization put in place to principles will dramatically reduce an organization’s risk protect its networks. Social engineering attacks try of a security breach. Organizational networks are only as to obtain information that should not be disclosed strong as their weakest link. As such, each of these areas and could facilitate gaining unauthorized access to needs to be looked at, evaluated and improved individu- companies’ private data and resources. Examples of ally and collectively in order to raise the bar high enough this include seeking information required to reset so that a non-targeted attacker will be compelled to and recover an employee’s password or any other move on to the next network. important information through electronic (phishing) or physical means, or through phone calls. The five items are: Strong security awareness programs provide and 1. Strong permission and user access controls – reinforce security awareness communications and Maintaining strong access controls is one of training provided to employees. Communications the primary ways to protect against a breach. inform employees and other users of the latest Seemingly simple steps such as ensuring appropriate security threats, activities the organization is permissions, reducing the number of powerful taking to mitigate these risks, and measures that administrative accounts and changing default pass- users can take to protect themselves and contribute words significantly reduce the attack surface for to promoting a secure office environment. Periodic a hacker. Software, systems and devices are often communications also stress proper password preloaded with default permissions, usernames and protection and management, as well as provide passwords that are easily identifiable through a quick employees with appropriate steps to take when internet search or system query. Attempting to access they feel that social engineering techniques are systems with default permissions and guessing these being attempted. usernames and passwords often is one of the first 3. Patch management – As noted in the threat data steps an attacker will take when attempting to gain presented in our report, most vulnerabilities can control of a system. be remediated and/or are the result of a system not Organizations that periodically check their network being properly patched. This not only applies to for default permissions/credentials and implement operating systems, but also to applications. While this change as part of the standard system getting a handle on application patching is often deployment procedures reduce the likelihood of one more difficult than on operating systems (largely or more attackers gaining easy access to a network. due to the number of applications and required patches in an environment), it is equally important 2. Employee security awareness - Without strong to protect the organization. Organizations should employee security awareness, attackers can manip- use automated tools to both identify and apply ulate and prey on human emotion and behavior to patches in an environment.
4 · Protiviti Strong patch management programs have a good on single or hybrid industry standards), deploy handle on the security patch levels on all systems it across applicable systems in the environment, throughout the environment (network devices, and periodically confirm the configurations do not operating systems and applications). Systems change. This is often controlled centrally to reduce that are not currently integrated with the existing required staff hours as well as lessen the difficulty patch management process are integrated into the in determining adherence to defined standards. centrally managed process. In instances where 5. Periodic penetration testing – To ensure the systems cannot be upgraded or patched due to first four calls to action, as described above, are business constraints, compensating controls being executed, organizations should perform (e.g., VLANs or firewalls) should be implemented to periodic penetration testing across various pieces protect the rest of the network. of IT infrastructure, including application and 4. System configuration management – Strong network layers. Organizations should commit to configuration management ensures that systems performing periodic penetration testing at least are consistently and securely configured across the annually, though more frequently is better. This environment (with exceptions where necessary) periodic testing identifies low-hanging fruit, in to prevent attackers from easily gaining access to terms of security vulnerabilities to address, and systems and data. Areas such as password and audit keeps the organization up-to-date with the latest policies, services, and file permissions are controlled tricks and techniques attackers are using. Without through the configuration management process. periodic testing, organizations may be susceptible to issues outside the scope of the four action items Organizations with effective configuration above or may believe certain truths but cannot management define a standard (usually based verify their validity.
Recent breaches continue to reinforce the prevailing wisdom that companies today fall into two groups — those that have been breached and know it, and those that have been breached but don’t know it. In addition to preventative measures, organizations must work on maturing detective controls and response procedures. Activities that simulate common attack patterns should be carried out within organizations to determine whether their defenses can detect and respond effectively.
— Andrew Retrum, Protiviti Managing Director – Technology Consulting, Security and Privacy
protiviti.com 2018 Security Threat Report · 5 High-Level Findings (2009 – 2017)
Following are notable high-level findings from Protiviti's vulnerability assessment data. More detailed results are presented starting on page 14.
The graph below identifies the top 10 most common vulnerabilities with a publicly available exploit that existed across all clients and industries.
Top 10 Most Common Exploitable Vulnerabilities by Total Count
HP System Management Homepage < 7.0 Multiple Vulnerabilities 2058 CVE-2009-0037
Windows Kernel Win32k.sys, Multiple Vulnerabilities 1398 CVE-2013-3660
MS15-034: Windows HTTP.sys Remote Code Execution 1364 Vulnerability CVE-2015-1635
Apache HTTP Server Byte Range DoS CVE-2011-3192 1122
MS13-047: Internet Explorer Memory Corruption Vulnerability 680 CVE-2013-3110
Oracle Java SE Multiple Vulnerabilities (April 2013 CPU) 588 CVE-2013-0401
Oracle Java JDK/JRE Remote Code Execution Vulnerability 398 CVE-2013-0809
Apache 2.2 < 2.2.22 Multiple Vulnerabilities CVE-2011-3368 349
Splunk Enterprise < 6.4.2 CVE-2013-0211 313
OpenSSL AES-NI Padding Oracle MiTM Information Disclosure 296 CVE-2016-2107
0 500 1000 1500 2000 2500
In a recent global survey from Protiviti and North Carolina State University’s ERM Initiative, more than 700 directors and C-level executives ranked cyber risk as a top three risk overall, and a “significant impact” risk for businesses in financial services; technology, media and telecommunications; healthcare and life sciences; and energy and utilities. Both directors and CEOs rated cyber as the second-highest risk.
— Source: Executive Perspectives on Top Risks for 2018, North Carolina State University’s ERM Initiative and Protiviti, www.protiviti.com/toprisks.
6 · Protiviti The graph below identifies the top 10 most common vulnerabilities, with or without a publicly available exploit, across all organizations and industries.
Top 10 Most Common High-Risk Vulnerabilities by Total Count
MS12-020: Remote Desktop Protocol Vulnerability 2836 CVE-2012-0002
HP System Management Homepage < 7.0 Multiple Vulnerabilities 2058 CVE-2009-0037
MS14-066: Microsoft Schannel Remote Code Execution 2018 Vulnerability CVE-2014-6321
MS15-034: Windows HTTP.sys Remote Code Execution 1364 Vulnerability CVE-2015-1635
OpenSSL ChangeCipherSpec MiTM Vulnerability 1255 CVE-2010-5298
MS11-025: MFC Insecure Library Loading Vulnerability 1237 CVE-2010-3190
Microsoft Windows SMB Information Disclosure Vulnerability 875 CVE-2017-0267
MS13-047: Internet Explorer Memory Corruption Vulnerability 680 CVE-2013-3110
MS13-022: Vulnerability in Microsoft Silverlight Remote Code 663 Execution CVE-2013-0074
MS13-041: Vulnerability in Lync Remote Code Execution 659 CVE-2013-1302
0 500 1000 1500 2000 2500 3000
In this modern era of constant attacks, it’s expected that public-facing services will be attacked day in and day out. As such, organizations with a well-designed and thoughtful vulnerability management program will do several things, including scanning public-facing systems immediately upon notification of critical vulnerabilities, quickly patching known vulnerabilities for critical public-facing services, and tracking and verifying patch deployment as part of a comprehensive governance process.
— Randy Armknecht, Protiviti Managing Director – Technology Consulting, Cybersecurity
protiviti.com 2018 Security Threat Report · 7 The graph below shows the normalized relationship between vulnerabilities and publicly available exploits over time.
Number of Unique Vulnerabilities and Exploits Over Time
160
140
120
100
80
60
40
20
0 2009 2010 2011 2012 2013 2014 2015 2016 2017
Normalized Vulnerabilities Value Normalized Exploit Value
The percentage of increases and decreases in exploits generally correlates with the number of identified vulnerabilities.
Digital transformation and innovative disruption are driving cyber attackers to become increasingly creative. In response, security teams should begin rethinking some of the traditional ways in which they respond to higher threat levels. For example, security groups should consider artificial intelligence and machine learning and how these areas can be applied to cyber security measures. Organizations also should consider the security risks that AI and machine learning pose as these innovations are introduced in other parts of the organization.
— Jonathan Wyatt, Protiviti Managing Director – Leader, Protiviti Digital
8 · Protiviti The graph below depicts the relationship of uniquely identified publicly available exploits between external and internal infrastructure.
Number of Unique External vs. Internal Infrastructure Exploits by Year
260 2017 435
161 2016 404
381 2015 1128
314 2014 395
38 2013 665
2012 93 238
1 2011 432
2010 7
2009 69
0 200 400 600 800 1000 1200
External Exploits Internal Exploits
As expected, internal networks contain many more exploitable vulnerabilities compared to external networks.
protiviti.com 2018 Security Threat Report · 9 The graph below shows the relationship of uniquely identified vulnerabilities, regardless of whether an exploit exists, between external and internal infrastructure.
Number of Unique Vulnerabilities – External vs. Internal Infrastructure
684 2017 1534
630 2016 166
1194 2015 540
747 2014 307
1408 2013 179
2012 1104 251
868 2011 50
100 2010 16
480 2009 31
0 200 400 600 800 1000 1200 1400 1600
Internal Infrastructure Vulnerabilities External Infrastructure Vulnerabilities
Unlike previous years, 2017 external vulnerabilities far exceeded internal vulnerabilities due to the increase in items related to SSL and SMB, as well as the number of external tests executed.
10 · Protiviti Below is a graphic showing the most vulnerable ports from both an external and internal perspective.
Top 10 Ports with Vulnerabilities — by Total Count
microsoft-ds (445) 01 46675
https (443) 02 32679
http (80) 03 18530
netbios-ssn (139) 04 8518
ssh (22) 05 8278
dcom-scm (135) 06 6233
telnet (23) 07 6106
h323 (1720) 08 3442
netbios-ns (137) 09 3040
sunrpc (111) 10 2860
Microsoft Windows and web servers have the most vulnerabilities.
Most technology leaders lack high confidence in their organization’s ability to prevent, monitor, detect or escalate security breaches by a well-funded external attacker or by a company insider. However, there is a benefit to not being overconfident: It can stave off complacency while helping to sustain a commitment to continually adapt and improve current practices as cyber attacks grow more sophisticated.
— Scott Laliberte, Protiviti Managing Director – Global Leader, Security and Privacy Practice
protiviti.com 2018 Security Threat Report · 11 The chart below depicts the top 10 most vulnerable ports from an external perspective.
Top 10 Ports with External Vulnerabilities — by Total Count
https (443) 01 16177
http (80) 02 4815
microsoft-ds (445) 03 1043
netbios-ssn (139) 04 978
telnet (23) 05 577
ssh (22) 06 562
ntp (123) 07 394
ftp (21) 08 370
smtp (25) 09 313
isakmp (500) 10 286
A significant number of companies are leaving Windows systems directly exposed on the internet.
Incident response should be a mainstay of an effective security program. Our research indicates that two out of three organizations have a formal, documented crisis response plan in place. Considering the prevalence of cyber attacks and the growing likelihood of a breach, every organization should have such a plan. It also is important for boards, senior management teams and technology functions to understand that the effectiveness of incident response plans hinges on their execution, and the only way to gauge how these plans will work in reality is to periodically test them in simulations. The most effective incident response plans are “living documents” that are regularly updated to reflect rapidly changing market conditions, emerging security risks and internal changes.
— Michael Walter, Protiviti Managing Director – Leader, Cybersecurity Intelligence Response Center
12 · Protiviti Similar to the chart on the prior page, the graphic below shows the top 10 most vulnerable ports from an internal perspective.
Top 10 Ports with Internal Vulnerabilities — by Total Count
microsoft-ds (445) 01 45632
https (443) 02 16502
http (80) 03 13715
ssh (22) 04 7716
netbios-ssn (139) 05 7540
dcom-scm (135) 06 6093
telnet (23) 07 5529
h323 (1720) 08 3425
netbios-ns (137) 09 2989
sunrpc (111) 10 2801
The chart below shows the average age of vulnerabilities by CVSS classification across all industries and systems from 2017 to vulnerability release date.
Average Age of Vulnerabilities (Years) by Severity1
4.12 6.48 3.83 3.24
Low Medium High Critical
1 Severity rankings are based on the standard CVSS scoring mechanism detailed on page 2.
protiviti.com 2018 Security Threat Report · 13 Detailed Findings (2009 – 2017)
As noted earlier, the prior section provides a high-level summary of key findings from Protiviti’s vulnerability assessment data. The following pages contain deeper, more detailed results from this data.
Top 30 Overall Exploits by Count
Exploit CVE ID Count
1 HP System Management Homepage < 7.0 Multiple Vulnerabilities CVE-2009-0037 2058
2 Windows Kernel Win32k.sys, Multiple Vulnerabilities CVE-2013-3660 1398
3 MS15-034: Windows HTTP.sys Remote Code Execution Vulnerability CVE-2015-1635 1364
4 Apache HTTP Server Byte Range DoS CVE-2011-3192 1122
5 MS13-047: Internet Explorer Memory Corruption Vulnerability CVE-2013-3110 680
6 Oracle Java SE Multiple Vulnerabilities (April 2013 CPU) CVE-2013-0401 588
7 Oracle Java JDK/JRE Remote Code Execution Vulnerability CVE-2013-0809 398
8 Apache 2.2 < 2.2.22 Multiple Vulnerabilities CVE-2011-3368 349
9 Splunk Enterprise 6.4.2 Multiple Vulnerabilities CVE-2013-0211 313
10 OpenSSL AES-NI Padding Oracle MitM Information Disclosure CVE-2016-2107 296
11 Web Server Directory Traversal Arbitrary File Access CVE-2000-0920 268
12 MS17-010: Windows SMB Remote Code Execution (EternalBlue) CVE-2017-0143 252
13 MS08-067: Server Service Vulnerability CVE-2008-4250 205
14 Microsoft Windows Unquoted Service Path Enumeration CVE-2013-1609 192
15 Adobe Acrobat < 10.0.1 Multiple Vulnerabilities CVE-2010-4091 189
16 OpenSSL Heartbeat Information Disclosure (Heartbleed) CVE-2014-0160 186
Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Marshalled 17 CVE-2012-0874 167 Object Remote Code Execution
18 PHP < 5.3.9 Multiple Vulnerabilities CVE-2011-3379 165
19 MS15-004: Directory Traversal Elevation of Privilege Vulnerability CVE-2015-0016 159
20 Adobe Reader < 9.1 Multiple Vulnerabilities CVE-2009-0193 132
21 GNUC C Library < 2.23 Multiple Vulnerabilities CVE-2015-7547 127
22 Mozilla Updater and Windows Update Service Privilege Escalation Vulnerability CVE-2012-1942 119
14 · Protiviti 23 MS10-096: Windows Address Book Insecure Library Loading Vulnerability CVE-2010-3147 112
24 MS14-064: Windows OLE Automation Array Remote Code Execution Vulnerability CVE-2014-6332 111
25 MS11-019: Browser Pool Corruption Vulnerability CVE-2011-0654 101
26 MS11-026: MHTML Mime-Formatted Request Vulnerability CVE-2011-0096 101
27 Sun Java Web Start JNLP Remote Code Execution Vulnerability CVE-2007-3655 96
28 MS10-042: Vulnerability in Help and Support Center CVE-2010-1885 95
29 MS10-097: Insecure Library Loading in Internet Connection Signup Wizard CVE-2010-3144 95
30 MS11-003: Cumulative Security Update for Internet Explorer CVE-2010-3971 92
NOTES: In this table, we have only identified a single CVE ID for each vulnerability in order simplify our reporting.
Operating systems are not the only systems with exploitable vulnerabilities. Applications rank equally high.
protiviti.com 2018 Security Threat Report · 15 Vulnerabilities: Top 30 Overall by Count (All Severity — External and Internal)
Vulnerability CVE ID Count
1 Microsoft Windows Remote Desktop Protocol Server MiTM Weakness CVE-2005-1794 51450
2 SSL RC4 Cipher Suites Supported CVE-2013-2566 43284
3 SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) CVE-2014-3566 19237
4 SSH Server CBC Mode Ciphers Enabled CVE-2008-5161 19201
5 SSL Certificate Signed Using Weak Hashing Algorithm CVE-2004-2761 15131
6 Microsoft Windows SMB NULL Session Authentication CVE-1999-0519 10216
7 SSL Version 2 (v2) Protocol Detection CVE-2005-2969 5986
8 SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection CVE-2009-3555 5394
9 TLS Padding Oracle Information Disclosure Vulnerability (TLS POODLE) CVE-2014-8730 4991
10 HTTP TRACE / TRACK Methods Allowed CVE-2003-1567 4714
11 SSL/TLS Diffie-Hellman Modulus Weak Configuration (Logjam) CVE-2015-4000 4347
12 Apache HTTP Server httpOnly Cookie Information Disclosure CVE-2012-0053 3970
13 SNMP Agent Default Community Name (public) CVE-1999-0517 3790
14 RomPager HTTP Referer Header XSS CVE-2013-6786 3476
15 SSL 64-bit Block Size Cipher Suites Supported (SWEET32) CVE-2016-2183 3246
16 Web Server HTTP Header Internal IP Disclosure CVE-2000-0649 3094
17 MS12-020: Remote Desktop Protocol Vulnerability* CVE-2012-0002 2836
18 SSH Protocol Version 1 Session Key Retrieval CVE-2001-0361 2724
19 HP System Management Homepage < 7.0 Multiple Vulnerabilities CVE-2009-0037 2058
20 MS14-066: Microsoft Schannel Remote Code Execution Vulnerability* CVE-2014-6321 2018
21 MS16-047: Windows SAM and LSAD Downgrade Vulnerability (Badlock)* CVE-2016-0128 2008
22 SSL/TLS EXPORT_RSA Weak Configuration (FREAK) CVE-2015-0204 1937
23 Dropbear SSH Server < 2013.59, Multiple Vulnerabilities CVE-2013-4421 1923
24 TLS CRIME Vulnerability CVE-2012-4929 1908
25 SSL / TLS Renegotiation DoS CVE-2011-1473 1654
* Uncredentialed check
16 · Protiviti 26 Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key CVE-2002-1623 1540
27 Microsoft Windows Unquoted Service Path Enumeration CVE-2013-1609 1430
28 Microsoft Windows Kernel Win32k.sys PATHRECORD chain Multiple Vulnerabilities CVE-2013-3660 1398
29 MS15-034: Vulnerability in HTTP.sys Remote Code Execution CVE-2015-1635 1364
30 MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Remote Code Execution CVE-2010-3190 1237
SSL vulnerabilities dominate the top 30 highest count.
Top 10 External Exploits
Apache HTTP Server Byte Range DoS CVE-2011-3192 426
MS15-034: Windows HTTP.sys Remote Code Execution 379 Vulnerability CVE-2015-1635
Apache 2.2 < 2.2.22 Multiple Vulnerabilities CVE-2011-3368 183
OpenSSL AES-NI Padding Oracle MitM Information Disclosure 141 CVE-2016-2107 MS15-004: Directory Traversal Elevation of Privilege Vulnerability 86 CVE-2015-0016 Microsoft Windows Unquoted Service Path Enumeration 77 CVE-2013-1609 SSLv3 Padding Oracle On Downgraded Legacy Encryption 47 Vulnerability (POODLE) CVE-2014-3566 MS17-010: Windows SMB Remote Code Execution 40 (EternalBlue) CVE-2017-0143
PHP < 5.3.9 Multiple Vulnerabilities CVE-2011-3379 37
Cisco ASA / IOS IKE Fragmentation Vulnerability CVE-2016-1287 29
0 50 100 150 200 250 300 350 400 450
Missing Microsoft patch MS17-010, which WannaCry used as a transport method, cracked the list of top 10 external exploits in less than a year.
protiviti.com 2018 Security Threat Report · 17 Top 10 External Vulnerabilities by Count
SSL RC4 Cipher Suites Supported | CVE-2013-2566 12970
SSLv3 Padding Oracle On Downgraded Legacy Encryption 6589 Vulnerability (POODLE) | CVE-2014-3566
SSL Version 2 (v2) Protocol Detection | CVE-2005-2969 2926
HTTP TRACE / TRACK Methods Allowed | CVE-2003-1567 2481
Web Server HTTP Header Internal IP Disclosure | CVE-2000-0649 2056
SSH Server CBC Mode Ciphers Enabled CVE-2008-5161 1835
Apache HTTP Server httpOnly Cookie Information 1522 Disclosure | CVE-2012-0053
SSL Certificate Signed Using Weak Hashing Algorithm | CVE-2004-2761 1460
Internet Key Exchange (IKE) Aggressive Mode 1255 with Pre-Shared Key CVE-2002-1623 SSL 64-bit Block Size Cipher Suites Supported 1060 (SWEET32) | CVE-2016-2183 0 2000 4000 6000 8000 10000 12000 14000
Most external vulnerabilities relate to web servers.
18 · Protiviti Top 10 Internal Exploits by Count
HP System Management Homepage < 7.0 Multiple 2041 Vulnerabilities CVE-2009-0037 Windows Kernel Win32k.sys, Multiple Vulnerabilities 1398 CVE-2013-3660 MS15-034: Windows HTTP.sys Remote Code 985 Execution Vulnerability CVE-2015-1635
Apache HTTP Server Byte Range DoS CVE-2011-3192 696
MS13-047: Internet Explorer Memory Corruption Vulnerability 659 CVE-2013-3110 Oracle Java SE Multiple Vulnerabilities 562 (April 2013 CPU) CVE-2013-0401 Oracle Java JDK/JRE Remote Code Execution Vulnerability 383 CVE-2013-0809
Splunk Enterprise < 6.4.2 CVE-2013-0211 313
Web Server Directory Traversal Arbitrary File Access 259 CVE-2000-0920 MS17-010: Windows SMB Remote Code Execution 244 (EternalBlue) CVE-2017-0143 0 500 1000 1500 2000 2500
EternalBlue cracked the top 10 list of internal exploits by count, as well.
protiviti.com 2018 Security Threat Report · 19 Top 10 Ports with Internal Vulnerabilities
microsoft-ds (445) 01 46142
https (443) 02 16502
http (80) 03 14838
ssh (22) 04 7784
netbios-ssn (139) 05 7549
dcom-scm (135) 06 6093
telnet (23) 07 5593
h323 (1720) 08 3425
netbios-ns (137) 09 2989
sunrpc (111) 10 2801
Top 10 Internal Vulnerabilities by Count
Microsoft Windows Remote Desktop Protocol Server 50296 MiTM Weakness | CVE-2005-1794
SSL RC4 Cipher Suites Supported CVE-2013-2566 30314
SSH Server CBC Mode Ciphers Enabled | CVE-2008-5161 17365
SSL Certificate Signed Using Weak Hashing Algorithm 13357 CVE-2004-2761 SSLv3 Padding Oracle On Downgraded Legacy Encryption 12493 Vulnerability (POODLE) | CVE-2014-3566 SSL RC4 Cipher Suites Supported 10833 CVE-2013-2566 Microsoft Windows SMB NULL Session Authentication 10102 CVE-1999-0519 SSL / TLS Renegotiation Handshakes MiTM Plaintext 4351 Data Injection CVE-2009-3555 SSL/TLS Diffie-Hellman Modulus <= 1024 Bits 3734 (SSL/TLS Logjam Vulnerability) | CVE-2015-4000 SNMP Agent Default Community Name (public) 3426 CVE-1999-0517 0 10000 20000 30000 40000 50000 60000
20 · Protiviti Total Exploits (External and Internal) Over Time
1600 1509 1400
1200
1000
800 709 703 695 600 565 433 400
331 200 69 7 0 2009 2010 2011 2012 2013 2014 2015 2016 2017
In 2015, significant exploits included Adobe Flash and Microsoft Office vulnerabilities.
protiviti.com 2018 Security Threat Report · 21 Total Vulnerabilities (External and Internal) Over Time
16000
14000
12000 10829 10000
8000
6235 6813 6000 4541 4000 3304 3376 3251 2000 1358
0 255 2009 2010 2011 2012 2013 2014 2015 2016 2017
As expected, the number of vulnerabilities identified over time is increasing.
22 · Protiviti Overall Industry Findings (2009 – 2017)
Vulnerability Severity by Industry
Technology, Media & 238 Telecommunications 631
956 Manufacturing 1594
1614 Healthcare & Life Sciences 2374
Financial Services 1771 2790
611 Energy & Utilities 974
556 Education 895
1549 Consumer Products & Services 2537
0 500 1000 1500 2000 2500 3000
Critical and High Unique Vulnerabilities Unique Vulnerabilities
Technology, Media and Telecommunications organizations had the lowest percentage of vulnerabilities that were “critical” or “high” in severity.
NOTES: Organizations included by industry and number of scans/tests performed: Consumer Products & Services 36%, Financial Services 29%, Healthcare & Life Sciences 10%, Technology, Media & Telecommunications 9%, Manufacturing 8%, Energy & Utilities 7%, Education 1%.
protiviti.com 2018 Security Threat Report · 23 Exploits by Industry
Technology, Media & 31 Telecommunications 37
73 Manufacturing 88
143 Healthcare & Life Sciences 165
Financial Services 150 181
54 Energy & Utilities 66
71 Education 85
135 Consumer Products & Services 159
0 20 40 60 80 100 120 140 160 180 200
Critical and High Unique Exploits Unique Exploits
By their very nature, most exploits are considered “critical” or “high” in severity.
NOTES: Organizations included by industry and number of scans/tests performed: Consumer Products & Services 36%, Financial Services 29%, Healthcare & Life Sciences 10%, Technology, Media & Telecommunications 9%, Manufacturing 8%, Energy & Utilities 7%, Education 1%.
24 · Protiviti Financial Services
Top 10 Overall Exploits (External and Internal)
Windows HTTP.sys Remote Code Execution 1398 Vulnerability CVE-2013-3660
HP System Management Homepage < 7.0 Multiple 908 Vulnerabilities CVE-2009-0037
MS13-047: Internet Explorer Memory Corruption 650 Vulnerability CVE-2013-3110
MS15-034: Windows HTTP.sys Remote Code Execution 583 Vulnerability (uncredentialed check) CVE-2015-1635
Oracle Java SE Multiple Vulnerabilities 560 (April 2013 CPU) CVE-2013-0401
Apache HTTP Server Byte Range DoS CVE-2011-3192 510
Oracle Java JDK/JRE Remote Code Execution 381 Vulnerability CVE-2013-0809
Splunk Enterprise < 6.4.2 or Splunk Light < 6.4.2 Multiple 302 Vulnerabilities CVE-2013-0211
Adobe Acrobat < 10.0.1 Multiple Vulnerabilities CVE-2010-4091 189
MS17-010: Windows SMB Remote Code Execution 175 (EternalBlue) CVE-2017-0143
0 200 400 600 800 1000 1200 1400 1600
protiviti.com 2018 Security Threat Report · 25 Financial Services (cont.)
Top 10 Overall Exploits by Port (External and Internal)
microsoft-ds (445) 01 15840
https (443) 02 9411
http (80) 03 6621
netbios-ssn (139) 04 4261
ssh (22) 05 3310
sunrpc (111) 06 1263
telnet (23) 07 1211
netbios-ns (137) 08 463
dcom-scm (135) 09 435
snmp (161) 10 417
26 · Protiviti Financial Services (cont.)
Top 10 Overall Vulnerabilities (External and Internal)
Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 17608
SSL RC4 Cipher Suites Supported 9253
SSH Server CBC Mode Ciphers Enabled 5662
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 5451
Microsoft Windows SMB NULL Session Authentication 3575
HTTP TRACE / TRACK Methods Allowed 2169
SSL Version 2 Protocol Detection 1967
Apache HTTP Server httpOnly Cookie Information Disclosure 1779
RomPager HTTP Referer Header XSS 1705
Microsoft Windows Kernel Win32k.sys PATHRECORD chain Multiple Vulnerabilities 1398
protiviti.com 2018 Security Threat Report · 27 Consumer Products and Services
Top 10 Overall Exploits (External and Internal)
HP System Management Homepage < 7.1.1 548 Multiple Vulnerabilities CVE-2011-1944
Apache HTTP Server Byte Range DoS CVE-2011-3192 230
OpenSSL AES-NI Padding Oracle MiTM 143 Information Disclosure CVE-2016-2107
MS17-010: Windows SMB Remote Code Execution 131 (EternalBlue) CVE-2017-0143
Apache 2.2 < 2.2.28 Multiple Vulnerabilities CVE-2013-5704 121
OpenSSL Heartbeat Information Disclosure 87 (Heartbleed) CVE-2014-0160
MS10-096: Windows Address Book Insecure Library 77 Loading Vulnerability CVE-2010-3147
MS10-073: Win32k Reference Count 76 Vulnerability CVE-2010-2549
MS11-027: Microsoft Windows 8 Developer Tools 68 Vulnerability CVE-2010-0811
MS11-019: Browser Pool Corruption 67 Vulnerability CVE-2011-0654
0 100 200 300 400 500 600
Consumer Products and Services organizations had more MS17-010 exploits identified than other industries.
28 · Protiviti Consumer Products and Services (cont.)
Top 10 Overall Exploits by Port (External and Internal)
https (443) 01 12816
microsoft-ds (445) 02 8058
http (80) 03 4824
dcom-scm (135) 04 2627
telnet (23) 05 1966
ssh (22) 06 1767
sunrpc (111) 07 1039
rdp (3389) 08 1034
netbios-ssn (139) 09 1015
netbios-ns (137) 10 894
protiviti.com 2018 Security Threat Report · 29 Consumer Products and Services (cont.)
Top 10 Overall Vulnerabilities (External and Internal)
Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 9342
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 6003
SSL Certificate Signed Using Weak Hashing Algorithm 5461
SSH Server CBC Mode Ciphers Enabled 4008
SSL Version 2 Protocol Detection 1781
Web Server HTTP Header Internal IP Disclosure 1579
Microsoft Windows SMB NULL Session Authentication 1385
HTTP TRACE / TRACK Methods Allowed 948
Apache HTTP Server httpOnly Cookie Information Disclosure 880
SNMP Agent Default Community Name 817
30 · Protiviti Education
Top 10 Overall Exploits (External and Internal)
Apache HTTP Server Byte 34 Range DoS CVE-2011-3192
Apache 2.2 < 2.2.28 Multiple 13 Vulnerabilities CVE-2013-5704
PHP < 5.3.9 Multiple 12 Vulnerabilities CVE-2011-3379
Microsoft Windows Unquoted Service Path Enumeration 10 CVE-2013-1609
Apache Struts2 / XWork Remote 8 Code Execution CVE-2010-1870
Web Server Directory Traversal Arbitrary File Access 6 CVE-2000-0920
MS15-009: Internet Explorer Use-after- 6 free Vulnerability CVE-2014-8967
MS14-058: Win32k.sys Privilege 5 Escalation Vulnerability CVE-2014-4113
MS14-056: Internet Explorer Elevation 5 of Privilege Vulnerability CVE-2014-4123
Adobe Reader < 10.0.1 Multiple 5 Vulnerabilities CVE-2010-4091
0 5 10 15 20 25 30 35
protiviti.com 2018 Security Threat Report · 31 Education (cont.)
Top 10 Overall Exploits by Port (External and Internal)
http (80) 01 1173
netbios-ssn (139) 02 934
microsoft-ds (445) 03 424
https (443) 04 344
dcom-scm (135) 05 292
telnet (23) 06 125
ssh (22) 07 107
ntp (123) 08 67
sunrpc (111) 09 48
netbios-ns (137) 10 33
32 · Protiviti Education (cont.)
Top 10 Overall Vulnerabilities (External and Internal)
SSL RC4 Cipher Suites Supported 948
Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 426
HTTP TRACE / TRACK Methods Allowed 241
Apache HTTP Server httpOnly Cookie Information Disclosure 193
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 163
SSL Version 2 Protocol Detection 107
Microsoft Windows SMB NULL Session Authentication 84
SNMP Agent Default Community Name 61
Web Server Generic XSS 37
Apache HTTP Server Byte Range DoS 34
protiviti.com 2018 Security Threat Report · 33 Energy and Utilities
Top 10 Overall Exploits (External and Internal)
HP System Management Homepage < 7.1.1 104 Multiple Vulnerabilities CVE-2011-1944
Apache HTTP Server Byte Range DoS CVE-2011-3192 27
MS15-034: Windows HTTP.sys Remote Code Execution 18 Vulnerability (uncredentialed check) CVE-2015-1635
MS11-004: IIS FTP Service Heap Buffer Overrun 18 Vulnerability CVE-2010-3972
Apache 2.2 < 2.2.28 Multiple Vulnerabilities CVE-2013-5704 13
HP LaserJet PJL Interface Directory Traversal CVE-2010-4107 11
Web Server Directory Traversal 9 Arbitrary File Access CVE-2000-0920
MS08-067: Server Service Vulnerability CVE-2008-4250 8
MS13-037: Internet Explorer Use-after-free 7 Vulnerability CVE-2013-0811
MS12-008: GDI Access Violation 7 Vulnerability CVE-2011-5046
0 20 40 60 80 100 120
34 · Protiviti Energy and Utilities (cont.)
Top 10 Overall Exploits by Port (External and Internal)
microsoft-ds (445) 01 1944
https (443) 02 851
http (80) 03 467
ssh (22) 04 438
telnet (23) 05 221
ftp (21) 06 177
netbios-ns (137) 07 126
netbios-ssn (139) 08 119
snmp (161) 09 105
dcom-scm (135) 10 59
protiviti.com 2018 Security Threat Report · 35 Energy and Utilities (cont.)
Top 10 Overall Vulnerabilities (External and Internal)
SSL RC4 Cipher Suites Supported 2275
Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 1801
SSH Server CBC Mode Ciphers Enabled 999
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 488
SSL Version 2 Protocol Detection 351
SNMP Agent Default Community Name 332
Microsoft Windows SMB NULL Session Authentication 267
RomPager HTTP Referer Header XSS 199
SSH Protocol Version 1 Session Key Retrieval 181
MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution 148
36 · Protiviti Healthcare and Life Sciences
Top 10 Overall Exploits (External and Internal)
HP System Management Homepage < 7.1.1 411 Multiple Vulnerabilities CVE-2011-1944
MS17-010: Windows SMB Remote Code Execution 238 (EternalBlue) CVE-2017-0143
Web Server Directory Traversal Arbitrary 195 File Access CVE-2000-0920
Apache HTTP Server Byte Range DoS CVE-2011-3192 192
Microsoft Windows Unquoted Service 151 Path Enumeration CVE-2013-1609
MS15-034: Windows HTTP.sys Remote Code Execution 136 Vulnerability CVE-2015-1635
GNUC C Library < 2.23 Multiple Vulnerabilities 99 CVE-2015-7547
Apache 2.2 < 2.2.22 Multiple Vulnerabilities CVE-2011-3368 96
MS08-067: Server Service Vulnerability CVE-2008-4250 77
Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet 58 Marshalled Object Remote Code Execution CVE-2012-0874
0 50 100 150 200 250 300 350 400 450
protiviti.com 2018 Security Threat Report · 37 Healthcare and Life Sciences (cont.)
Top 10 Overall Exploits by Port (External and Internal)
microsoft-ds (445) 01 15916
https (443) 02 2367
http (80) 03 1966
telnet (23) 04 1948
ssh (22) 05 1700
netbios-ns (137) 06 1421
ftp (21) 07 974
netbios-ssn (139) 08 900
sunrpc (111) 09 340
raw (9100) 10 314
38 · Protiviti Healthcare and Life Sciences (cont.)
Top 10 Overall Vulnerabilities (External and Internal)
Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 15721
SSL RC4 Cipher Suites Supported 14456
SSH Server CBC Mode Ciphers Enabled 5786
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 3992
Microsoft Windows SMB NULL Session Authentication 3092
Dropbear SSH Server < 2013.59 Multiple Vulnerabilities 1211
MS16-047: Security Update for SAM and LSAD Remote Protocols 936
SNMP Agent Default Community Name 760
SSL Version 2 Protocol Detection 596
Chargen UDP Service Remote DoS 530
protiviti.com 2018 Security Threat Report · 39 Manufacturing
Top 10 Overall Exploits (External and Internal)
MS15-034: Windows HTTP.sys Remote Code Execution 344 Vulnerability (uncredentialed check) CVE-2015-1635
HP System Management Homepage < 7.1.1 194 Multiple Vulnerabilities CVE-2011-1944
Apache HTTP Server Byte Range DoS CVE-2011-3192 70
Microsoft Windows Unquoted Service Path 59 Enumeration CVE-2013-1609
MS14-064: Windows OLE Automation Array Remote Code 57 Execution Vulnerability CVE-2014-6332
Apache 2.2 < 2.2.28 Multiple Vulnerabilities CVE-2013-5704 46
MS08-067: Server Service Vulnerability CVE-2008-4250 35
Web Server Directory Traversal Arbitrary 32 File Access CVE-2000-0920
MS14-070: TCP/IP Elevation of Privilege 30 Vulnerability CVE-2014-4076
MS14-062: Unvalidated Address in IRP Handler Privilege 30 Elevation Vulnerability CVE-2014-4971
0 50 100 150 200 250 300 350
40 · Protiviti Manufacturing (cont.)
Top 10 Overall Exploits by Port (External and Internal)
http (80) 01 3142
microsoft-ds (445) 02 2406
https (443) 03 1525
netbios-ssn (139) 04 1143
telnet (23) 05 345
h323 (1720) 06 237
ssh (22) 07 222
ftp (21) 08 172
netbios-ns (137) 09 95
dcom-scm (135) 10 76
protiviti.com 2018 Security Threat Report · 41 Manufacturing (cont.)
Top 10 Overall Vulnerabilities (External and Internal)
Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 3192
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 2147
SSL RC4 Cipher Suites Supported 1925
RomPager HTTP Referer Header XSS 1481
SSH Server CBC Mode Ciphers Enabled 1329
Microsoft Windows SMB NULL Session Authentication 1267
MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution 581
SNMP Agent Default Community Name 505
HTTP TRACE / TRACK Methods Allowed 384
MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution 365
42 · Protiviti Technology, Media and Telecommunications
Top 10 Overall Exploits (External and Internal)
MS15-034: Windows HTTP.sys Remote Code Execution 344 Vulnerability (uncredentialed check) CVE-2015-1635
HP System Management Homepage < 7.1.1 194 Multiple Vulnerabilities CVE-2011-1944
Apache HTTP Server Byte Range DoS CVE-2011-3192 70
Microsoft Windows Unquoted Service 59 Path Enumeration CVE-2013-1609
MS14-064: Windows OLE Automation Array Remote Code 57 Execution Vulnerability CVE-2014-6332
Apache 2.2 < 2.2.28 Multiple Vulnerabilities CVE-2013-5704 46
MS08-067: Server Service Vulnerability CVE-2008-4250 35
Web Server Directory Traversal Arbitrary 32 File Access CVE-2000-0920
MS14-062: Unvalidated Address in IRP Handler Privilege 30 Elevation Vulnerability CVE-2014-4971
MS14-070: Vulnerability in TCP/IP Elevation of 30 Privilege CVE-2014-4076
0 50 100 150 200 250 300 350
protiviti.com 2018 Security Threat Report · 43 Technology, Media and Telecommunications (cont.)
Top 10 Overall Exploits by Port (External and Internal)
h323 (1720) 01 3032
microsoft-ds (445) 02 2907
https (443) 03 2787
ssh (22) 04 1097
http (80) 05 980
finger (79) 06 253
netbios-ssn (139) 07 187
telnet (23) 08 134
ntp (123) 09 78
netbios-ns (137) 10 67
44 · Protiviti Technology, Media and Telecommunications (cont.)
Top 10 Overall Vulnerabilities (External and Internal)
SSL RC4 Cipher Suites Supported 4840
Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 1673
SSH Server CBC Mode Ciphers Enabled 1087
SSL Version 2 Protocol Detection 874
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 787
Web Server HTTP Header Internal IP Disclosure 738
Microsoft Windows SMB NULL Session Authentication 496
HTTP TRACE / TRACK Methods Allowed 420
Apache HTTP Server httpOnly Cookie Information Disclosure 226
Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key 208
protiviti.com 2018 Security Threat Report · 45 Key Questions to Consider
Following are some suggested questions that CIOs and • Are we protected from insider threats? IT leaders should consider, based on the context of and • Are web applications developed and maintained in a risks inherent in the entity’s operations: manner to resist attack? • Are our systems correctly configured to prevent • Do our employees know how to identify and respond hackers from getting in? to attacks? • Does our organization have a good handle on its asset inventory? Specifically, do we know what’s exposed on the internet and what’s not? Is it protected?
Final Thoughts
Over the past decade, the cyber threat landscape vulnerabilities better, organizations should perform a clearly has been perilous for organizations and comprehensive assessment to identify their security undoubtedly will remain so in the years ahead. What can vulnerabilities and threats. Further, the calls to action organizations learn from all of this? Perhaps the key detailed earlier provide a roadmap for organizations to lesson is that any organization most likely has security improve their overall security posture. vulnerabilities in one or more areas. To understand these
46 · Protiviti ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
CONTACTS
Kurt Underwood Scott Laliberte Andrew Retrum Managing Director Managing Director Managing Director Global Leader, Technology Consulting Practice +1.267.256.8825 +1.312.476.6353 +1.206.262.8389 [email protected] [email protected] [email protected]
Randy Armknecht Michael Walter Tom Stewart Managing Director Managing Director Director +1.312.476.6428 +1.303.898.9145 +1.312.931.8901 [email protected] [email protected] [email protected]
protiviti.com 2018 Security Threat Report · 47 © 201 Protiviti Inc. An Equal Opportunity Employer. M/F/Disability/Vet. PRO-041 M/F/Disability/Vet. © 201 Protiviti Inc. An Equal Opportunity Employer.
THE AMERICAS UNITED STATES Indianapolis Sacramento ARGENTINA* COLOMBIA* Alexandria Kansas City Salt Lake City Buenos Aires Bogota Atlanta Los Angeles San Francisco Baltimore Milwaukee San Jose BR AZIL* MEXICO* Boston Minneapolis Seattle Rio de Janeiro Mexico City Sao Paulo Charlotte New York Stamford PERU* Chicago Orlando St. Louis CANADA Lima Cincinnati Philadelphia Tampa Kitchener-Waterloo Cleveland Phoenix Washington, D.C. Toronto VENEZUELA* Dallas Pittsburgh Winchester Caracas Fort Lauderdale Portland Woodbridge CHILE* Houston Richmond Santiago
EUROPE FRANCE NETHERLANDS KUWAIT* SAUDI ARABIA* UNITED ARAB MIDDLE EAST Paris Amsterdam Kuwait City Riyadh EMIRATES* AFRICA Abu Dhabi GERMANY UNITED KINGDOM OMAN* Dubai Frankfurt London Muscat Munich BAHRAIN* QATAR* ITALY Manama Doha Milan Rome Turin
ASIA-PACIFIC CHINA JAPAN INDIA* AUSTRALIA Beijing Osaka Bangalore Brisbane Hong Kong Tokyo Hyderabad Canberra Shanghai Kolkata Melbourne Shenzhen SINGAPORE Mumbai Sydney Singapore New Delhi
*MEMBER FIRM
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0418-101105 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.