2018 Security Threat Report

Assessing Nine Years of Cyber Security Vulnerabilities and Exploits

Internal Audit, Risk, Business & Technology Consulting Executive Summary

Finding the right words to describe the magnitude of cyber security today is like trying to define the size and splendor of the Grand Canyon to someone unfamiliar with the natural wonder of the world. News of massive data breaches continues to make headlines. Among the largest breaches to date, one of the major consumer credit reporting agencies announced last year that hackers accessed its store of Social Security numbers, driver’s license data, birth dates and other personal information on more than 140 million consumers. A decade ago, such news would have been unimaginable. But sadly, over the last several months, disclosures of significant cyber security breaches have become routine as organizations increasingly rely on vulnerable digital technologies and third-party service providers.

At the same time, cyber criminals are becoming more In addition, we provide insight into the root causes creative and sophisticated. New cyber threats emerge underlying the vulnerabilities and practical guidance daily that put any number of business systems at on how companies can protect their information. risk, and companies face a monumental challenge to In these times of digital treachery, we hope you find keep pace with the threats and safeguard their data, this report useful. particularly their “crown jewels.” It’s no surprise that cyber security is the chief concern not only for CIOs and IT departments, but also for executive-level Key calls to action we define include: management and boards of directors.

This report aims to help organizations address and Strong permission and user access controls understand the cyber security landscape by exploring 01 and detailing the most common digital threats today. Since 2009, Protiviti security labs in the United States Employee security awareness have performed more than 500 in-depth security 02 scans on behalf of a broad range of organizations to test and assess their IT systems and infrastructure Patch management for cyber security risks. Keeping the organizations 03 anonymous, we have compiled and quantified the vulnerability and threat discoveries in our data, System configuration management offering insights and trends regarding the types of 04 threats organizations are most likely to face, the most frequently perpetrated cyber crimes, the recent Periodic penetration testing acceleration of attacks, and trends in cyber attacks by 05 industry and size, among other views.

protiviti.com 2018 Security Threat Report · 1 About Our Study

We compiled the data, analyses and trends presented • The data contains results from those of internet- in this report by reviewing information from security facing systems (external) as well as systems on the vulnerability scans of IT systems of more than 500 inside of the organization’s firewall (internal). organizations in a broad range of industries. Over a • Vulnerability data contained within this study relate nine-year period, Protiviti’s security experts were to network-related issues only. Web application engaged by these companies to scan their networks, vulnerabilities are not included. In addition, detect vulnerabilities, and help fix issues and establish vulnerability data related to the same missing patch proper mechanisms for monitoring and prevention. or outdated system versions have been removed, This data has been aggregated and analyzed into data with only the highest total remaining, to reduce points that we believe are both informative and useful repeat items. for those trying to safeguard their systems. • Vulnerability refers to a weakness in a computer Some important notes and definitions about the system that reduces its security posture. data in our report: • Exploit refers to vulnerabilities that have publicly • The scanned data from these engagements was not available exploit code as of the time of testing. validated – rather, it is the raw data from a leading vulnerability scanner that the Protiviti teams used. • Risk rankings generally follow the standard CVSS scoring mechanism: • The test data is from a broad range of industry organizations: –– Vulnerabilities are labeled “Low” severity if they –– Financial Services –– Technology, have a CVSS base score of 0.0-3.9. –– Healthcare and Life Media and –– Vulnerabilities are labeled “Medium” severity if Sciences Telecommunications they have a CVSS base score of 4.0-6.9. –– Consumer Products –– Manufacturing –– Vulnerabilities are labeled “High” severity if they and Services –– Education have a CVSS base score of 7.0-8.9. –– Energy and Utilities –– Vulnerabilities are labeled “Critical” severity if they have a CVSS base score of 9.0-10.0.

Key Definitions Vulnerability Weakness in a computer system that reduces its security posture

Internal 01 Exploit 02 Non-internet facing systems Vulnerabilities that have 05 publicly available exploit code

External Risk rankings 03 Internet facing systems 04 Follow CVSS scoring mechanism: • Critical: 9.0 - 10.0 • Medium: 4.0 - 6.9 • High: 7.0 - 8.9 • Low: 0.0 - 3.9

2 · Protiviti Key Takeaways/Trends and Analysis

Based on the wealth of data taken from nine years’ • Not surprisingly, the number of exploits and vulnera- worth of security scans and the trends they reveal, bilities organizations have experienced has risen over there are a number of key takeaways and learnings: time. Also of no surprise, the ports with the most vulnerabilities are Windows 445 and web 443. • Patching, both external and internal, remains a critical issue. In particular, application patching • Every few years, a major critical exploit comes along appears to be a more problematic issue than oper- that has a drastic impact on the security landscape. ating system patching. Just a few examples include MS08-067, Heartbleed, Shellshock (CVE-2014-6271), MS17-010 and MS15-034. • Organizations are still running a significant number of unsupported systems. • Just under half of the vulnerabilities identified during testing have a publicly available exploit. • There have been consistent challenges with SSL, especially with regard to weak ciphers and diver- sions. Though the raw number of issues hasn’t reached a high level, this is an area for organizations to monitor.

Organizations Included by Industry and Number of Scans/Tests Performed

Education

Consumer Products Energy & Utilities & Services 1%

7% 36% Manufacturing 8%

9% Technology, Media & Telecommunications

10%

29% Healthcare & Life Sciences Financial Services

protiviti.com 2018 Security Threat Report · 3 Call to Action

Regardless of an organization’s industry or size, devel- greatly reduce the effectiveness of technology, often oping, establishing and implementing five basic security very expensive, that the organization put in place to principles will dramatically reduce an organization’s risk protect its networks. Social engineering attacks try of a security breach. Organizational networks are only as to obtain information that should not be disclosed strong as their weakest link. As such, each of these areas and could facilitate gaining unauthorized access to needs to be looked at, evaluated and improved individu- companies’ private data and resources. Examples of ally and collectively in order to raise the bar high enough this include seeking information required to reset so that a non-targeted attacker will be compelled to and recover an employee’s password or any other move on to the next network. important information through electronic (phishing) or physical means, or through phone calls. The five items are: Strong security awareness programs provide and 1. Strong permission and user access controls – reinforce security awareness communications and Maintaining strong access controls is one of training provided to employees. Communications the primary ways to protect against a breach. inform employees and other users of the latest Seemingly simple steps such as ensuring appropriate security threats, activities the organization is permissions, reducing the number of powerful taking to mitigate these risks, and measures that administrative accounts and changing default pass- users can take to protect themselves and contribute words significantly reduce the attack surface for to promoting a secure office environment. Periodic a hacker. Software, systems and devices are often communications also stress proper password preloaded with default permissions, usernames and protection and management, as well as provide passwords that are easily identifiable through a quick employees with appropriate steps to take when internet search or system query. Attempting to access they feel that social engineering techniques are systems with default permissions and guessing these being attempted. usernames and passwords often is one of the first 3. Patch management – As noted in the threat data steps an attacker will take when attempting to gain presented in our report, most vulnerabilities can control of a system. be remediated and/or are the result of a system not Organizations that periodically check their network being properly patched. This not only applies to for default permissions/credentials and implement operating systems, but also to applications. While this change as part of the standard system getting a handle on application patching is often deployment procedures reduce the likelihood of one more difficult than on operating systems (largely or more attackers gaining easy access to a network. due to the number of applications and required patches in an environment), it is equally important 2. Employee security awareness - Without strong to protect the organization. Organizations should employee security awareness, attackers can manip- use automated tools to both identify and apply ulate and prey on human emotion and behavior to patches in an environment.

4 · Protiviti Strong patch management programs have a good on single or hybrid industry standards), deploy handle on the security patch levels on all systems it across applicable systems in the environment, throughout the environment (network devices, and periodically confirm the configurations do not operating systems and applications). Systems change. This is often controlled centrally to reduce that are not currently integrated with the existing required staff hours as well as lessen the difficulty patch management process are integrated into the in determining adherence to defined standards. centrally managed process. In instances where 5. Periodic penetration testing – To ensure the systems cannot be upgraded or patched due to first four calls to action, as described above, are business constraints, compensating controls being executed, organizations should perform (e.g., VLANs or firewalls) should be implemented to periodic penetration testing across various pieces protect the rest of the network. of IT infrastructure, including application and 4. System configuration management – Strong network layers. Organizations should commit to configuration management ensures that systems performing periodic penetration testing at least are consistently and securely configured across the annually, though more frequently is better. This environment (with exceptions where necessary) periodic testing identifies low-hanging fruit, in to prevent attackers from easily gaining access to terms of security vulnerabilities to address, and systems and data. Areas such as password and audit keeps the organization up-to-date with the latest policies, services, and file permissions are controlled tricks and techniques attackers are using. Without through the configuration management process. periodic testing, organizations may be susceptible to issues outside the scope of the four action items Organizations with effective configuration above or may believe certain truths but cannot management define a standard (usually based verify their validity.

Recent breaches continue to reinforce the prevailing wisdom that companies today fall into two groups — those that have been breached and know it, and those that have been breached but don’t know it. In addition to preventative measures, organizations must work on maturing detective controls and response procedures. Activities that simulate common attack patterns should be carried out within organizations to determine whether their defenses can detect and respond effectively.

— Andrew Retrum, Protiviti Managing Director – Technology Consulting, Security and Privacy

protiviti.com 2018 Security Threat Report · 5 High-Level Findings (2009 – 2017)

Following are notable high-level findings from Protiviti's vulnerability assessment data. More detailed results are presented starting on page 14.

The graph below identifies the top 10 most common vulnerabilities with a publicly available exploit that existed across all clients and industries.

Top 10 Most Common Exploitable Vulnerabilities by Total Count

HP System Management Homepage < 7.0 Multiple Vulnerabilities 2058 CVE-2009-0037

Windows Kernel Win32k.sys, Multiple Vulnerabilities 1398 CVE-2013-3660

MS15-034: Windows HTTP.sys Remote Code Execution 1364 Vulnerability CVE-2015-1635

Apache HTTP Server Byte Range DoS CVE-2011-3192 1122

MS13-047: Internet Explorer Memory Corruption Vulnerability 680 CVE-2013-3110

Oracle Java SE Multiple Vulnerabilities (April 2013 CPU) 588 CVE-2013-0401

Oracle Java JDK/JRE Remote Code Execution Vulnerability 398 CVE-2013-0809

Apache 2.2 < 2.2.22 Multiple Vulnerabilities CVE-2011-3368 349

Splunk Enterprise < 6.4.2 CVE-2013-0211 313

OpenSSL AES-NI Padding Oracle MiTM Information Disclosure 296 CVE-2016-2107

0 500 1000 1500 2000 2500

In a recent global survey from Protiviti and North Carolina State University’s ERM Initiative, more than 700 directors and C-level executives ranked cyber risk as a top three risk overall, and a “significant impact” risk for businesses in financial services; technology, media and telecommunications; healthcare and life sciences; and energy and utilities. Both directors and CEOs rated cyber as the second-highest risk.

— Source: Executive Perspectives on Top Risks for 2018, North Carolina State University’s ERM Initiative and Protiviti, www.protiviti.com/toprisks.

6 · Protiviti The graph below identifies the top 10 most common vulnerabilities, with or without a publicly available exploit, across all organizations and industries.

Top 10 Most Common High-Risk Vulnerabilities by Total Count

MS12-020: Remote Desktop Protocol Vulnerability 2836 CVE-2012-0002

HP System Management Homepage < 7.0 Multiple Vulnerabilities 2058 CVE-2009-0037

MS14-066: Microsoft Schannel Remote Code Execution 2018 Vulnerability CVE-2014-6321

MS15-034: Windows HTTP.sys Remote Code Execution 1364 Vulnerability CVE-2015-1635

OpenSSL ChangeCipherSpec MiTM Vulnerability 1255 CVE-2010-5298

MS11-025: MFC Insecure Library Loading Vulnerability 1237 CVE-2010-3190

Microsoft Windows SMB Information Disclosure Vulnerability 875 CVE-2017-0267

MS13-047: Internet Explorer Memory Corruption Vulnerability 680 CVE-2013-3110

MS13-022: Vulnerability in Microsoft Silverlight Remote Code 663 Execution CVE-2013-0074

MS13-041: Vulnerability in Lync Remote Code Execution 659 CVE-2013-1302

0 500 1000 1500 2000 2500 3000

In this modern era of constant attacks, it’s expected that public-facing services will be attacked day in and day out. As such, organizations with a well-designed and thoughtful vulnerability management program will do several things, including scanning public-facing systems immediately upon notification of critical vulnerabilities, quickly patching known vulnerabilities for critical public-facing services, and tracking and verifying patch deployment as part of a comprehensive governance process.

— Randy Armknecht, Protiviti Managing Director – Technology Consulting, Cybersecurity

protiviti.com 2018 Security Threat Report · 7 The graph below shows the normalized relationship between vulnerabilities and publicly available exploits over time.

Number of Unique Vulnerabilities and Exploits Over Time

160

140

120

100

0 2009 2010 2011 2012 2013 2014 2015 2016 2017

Normalized Vulnerabilities Value Normalized Exploit Value

The percentage of increases and decreases in exploits generally correlates with the number of identified vulnerabilities.

Digital transformation and innovative disruption are driving cyber attackers to become increasingly creative. In response, security teams should begin rethinking some of the traditional ways in which they respond to higher threat levels. For example, security groups should consider artificial intelligence and machine learning and how these areas can be applied to cyber security measures. Organizations also should consider the security risks that AI and machine learning pose as these innovations are introduced in other parts of the organization.

— Jonathan Wyatt, Protiviti Managing Director – Leader, Protiviti Digital

8 · Protiviti The graph below depicts the relationship of uniquely identified publicly available exploits between external and internal infrastructure.

Number of Unique External vs. Internal Infrastructure Exploits by Year

260 2017 435

161 2016 404

381 2015 1128

314 2014 395

38 2013 665

2012 93 238

1 2011 432

2010 7

2009 69

0 200 400 600 800 1000 1200

External Exploits Internal Exploits

As expected, internal networks contain many more exploitable vulnerabilities compared to external networks.

protiviti.com 2018 Security Threat Report · 9 The graph below shows the relationship of uniquely identified vulnerabilities, regardless of whether an exploit exists, between external and internal infrastructure.

Number of Unique Vulnerabilities – External vs. Internal Infrastructure

684 2017 1534

630 2016 166

1194 2015 540

747 2014 307

1408 2013 179

2012 1104 251

868 2011 50

100 2010 16

480 2009 31

0 200 400 600 800 1000 1200 1400 1600

Internal Infrastructure Vulnerabilities External Infrastructure Vulnerabilities

Unlike previous years, 2017 external vulnerabilities far exceeded internal vulnerabilities due to the increase in items related to SSL and SMB, as well as the number of external tests executed.

10 · Protiviti Below is a graphic showing the most vulnerable ports from both an external and internal perspective.

Top 10 Ports with Vulnerabilities — by Total Count

microsoft-ds (445) 01 46675

https (443) 02 32679

http (80) 03 18530

netbios-ssn (139) 04 8518

ssh (22) 05 8278

dcom-scm (135) 06 6233

telnet (23) 07 6106

h323 (1720) 08 3442

netbios-ns (137) 09 3040

sunrpc (111) 10 2860

Microsoft Windows and web servers have the most vulnerabilities.

Most technology leaders lack high confidence in their organization’s ability to prevent, monitor, detect or escalate security breaches by a well-funded external attacker or by a company insider. However, there is a benefit to not being overconfident: It can stave off complacency while helping to sustain a commitment to continually adapt and improve current practices as cyber attacks grow more sophisticated.

— Scott Laliberte, Protiviti Managing Director – Global Leader, Security and Privacy Practice

protiviti.com 2018 Security Threat Report · 11 The chart below depicts the top 10 most vulnerable ports from an external perspective.

Top 10 Ports with External Vulnerabilities — by Total Count

https (443) 01 16177

http (80) 02 4815

microsoft-ds (445) 03 1043

netbios-ssn (139) 04 978

telnet (23) 05 577

ssh (22) 06 562

ntp (123) 07 394

ftp (21) 08 370

smtp (25) 09 313

isakmp (500) 10 286

A significant number of companies are leaving Windows systems directly exposed on the internet.

Incident response should be a mainstay of an effective security program. Our research indicates that two out of three organizations have a formal, documented crisis response plan in place. Considering the prevalence of cyber attacks and the growing likelihood of a breach, every organization should have such a plan. It also is important for boards, senior management teams and technology functions to understand that the effectiveness of incident response plans hinges on their execution, and the only way to gauge how these plans will work in reality is to periodically test them in simulations. The most effective incident response plans are “living documents” that are regularly updated to reflect rapidly changing market conditions, emerging security risks and internal changes.

— Michael Walter, Protiviti Managing Director – Leader, Cybersecurity Intelligence Response Center

12 · Protiviti Similar to the chart on the prior page, the graphic below shows the top 10 most vulnerable ports from an internal perspective.

Top 10 Ports with Internal Vulnerabilities — by Total Count

microsoft-ds (445) 01 45632

https (443) 02 16502

http (80) 03 13715

ssh (22) 04 7716

netbios-ssn (139) 05 7540

dcom-scm (135) 06 6093

telnet (23) 07 5529

h323 (1720) 08 3425

netbios-ns (137) 09 2989

sunrpc (111) 10 2801

The chart below shows the average age of vulnerabilities by CVSS classification across all industries and systems from 2017 to vulnerability release date.

Average Age of Vulnerabilities (Years) by Severity1

4.12 6.48 3.83 3.24

Low Medium High Critical

1 Severity rankings are based on the standard CVSS scoring mechanism detailed on page 2.

protiviti.com 2018 Security Threat Report · 13 Detailed Findings (2009 – 2017)

As noted earlier, the prior section provides a high-level summary of key findings from Protiviti’s vulnerability assessment data. The following pages contain deeper, more detailed results from this data.

Top 30 Overall Exploits by Count

Exploit CVE ID Count

1 HP System Management Homepage < 7.0 Multiple Vulnerabilities CVE-2009-0037 2058

2 Windows Kernel Win32k.sys, Multiple Vulnerabilities CVE-2013-3660 1398

3 MS15-034: Windows HTTP.sys Remote Code Execution Vulnerability CVE-2015-1635 1364

4 Apache HTTP Server Byte Range DoS CVE-2011-3192 1122

5 MS13-047: Internet Explorer Memory Corruption Vulnerability CVE-2013-3110 680

6 Oracle Java SE Multiple Vulnerabilities (April 2013 CPU) CVE-2013-0401 588

7 Oracle Java JDK/JRE Remote Code Execution Vulnerability CVE-2013-0809 398

8 Apache 2.2 < 2.2.22 Multiple Vulnerabilities CVE-2011-3368 349

9 Splunk Enterprise 6.4.2 Multiple Vulnerabilities CVE-2013-0211 313

10 OpenSSL AES-NI Padding Oracle MitM Information Disclosure CVE-2016-2107 296

11 Web Server Directory Traversal Arbitrary File Access CVE-2000-0920 268

12 MS17-010: Windows SMB Remote Code Execution (EternalBlue) CVE-2017-0143 252

13 MS08-067: Server Service Vulnerability CVE-2008-4250 205

14 Microsoft Windows Unquoted Service Path Enumeration CVE-2013-1609 192

15 Adobe Acrobat < 10.0.1 Multiple Vulnerabilities CVE-2010-4091 189

16 OpenSSL Heartbeat Information Disclosure (Heartbleed) CVE-2014-0160 186

Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Marshalled 17 CVE-2012-0874 167 Object Remote Code Execution

18 PHP < 5.3.9 Multiple Vulnerabilities CVE-2011-3379 165

19 MS15-004: Directory Traversal Elevation of Privilege Vulnerability CVE-2015-0016 159

20 Adobe Reader < 9.1 Multiple Vulnerabilities CVE-2009-0193 132

21 GNUC C Library < 2.23 Multiple Vulnerabilities CVE-2015-7547 127

22 Mozilla Updater and Windows Update Service Privilege Escalation Vulnerability CVE-2012-1942 119

14 · Protiviti 23 MS10-096: Windows Address Book Insecure Library Loading Vulnerability CVE-2010-3147 112

24 MS14-064: Windows OLE Automation Array Remote Code Execution Vulnerability CVE-2014-6332 111

25 MS11-019: Browser Pool Corruption Vulnerability CVE-2011-0654 101

26 MS11-026: MHTML Mime-Formatted Request Vulnerability CVE-2011-0096 101

27 Sun Java Web Start JNLP Remote Code Execution Vulnerability CVE-2007-3655 96

28 MS10-042: Vulnerability in Help and Support Center CVE-2010-1885 95

29 MS10-097: Insecure Library Loading in Internet Connection Signup Wizard CVE-2010-3144 95

30 MS11-003: Cumulative Security Update for Internet Explorer CVE-2010-3971 92

NOTES: In this table, we have only identified a single CVE ID for each vulnerability in order simplify our reporting.

Operating systems are not the only systems with exploitable vulnerabilities. Applications rank equally high.

protiviti.com 2018 Security Threat Report · 15 Vulnerabilities: Top 30 Overall by Count (All Severity — External and Internal)

Vulnerability CVE ID Count

1 Microsoft Windows Remote Desktop Protocol Server MiTM Weakness CVE-2005-1794 51450

2 SSL RC4 Cipher Suites Supported CVE-2013-2566 43284

3 SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) CVE-2014-3566 19237

4 SSH Server CBC Mode Ciphers Enabled CVE-2008-5161 19201

5 SSL Certificate Signed Using Weak Hashing Algorithm CVE-2004-2761 15131

6 Microsoft Windows SMB NULL Session Authentication CVE-1999-0519 10216

7 SSL Version 2 (v2) Protocol Detection CVE-2005-2969 5986

8 SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection CVE-2009-3555 5394

9 TLS Padding Oracle Information Disclosure Vulnerability (TLS POODLE) CVE-2014-8730 4991

10 HTTP TRACE / TRACK Methods Allowed CVE-2003-1567 4714

11 SSL/TLS Diffie-Hellman Modulus Weak Configuration (Logjam) CVE-2015-4000 4347

12 Apache HTTP Server httpOnly Cookie Information Disclosure CVE-2012-0053 3970

13 SNMP Agent Default Community Name (public) CVE-1999-0517 3790

14 RomPager HTTP Referer Header XSS CVE-2013-6786 3476

15 SSL 64-bit Block Size Cipher Suites Supported (SWEET32) CVE-2016-2183 3246

16 Web Server HTTP Header Internal IP Disclosure CVE-2000-0649 3094

17 MS12-020: Remote Desktop Protocol Vulnerability* CVE-2012-0002 2836

18 SSH Protocol Version 1 Session Key Retrieval CVE-2001-0361 2724

19 HP System Management Homepage < 7.0 Multiple Vulnerabilities CVE-2009-0037 2058

20 MS14-066: Microsoft Schannel Remote Code Execution Vulnerability* CVE-2014-6321 2018

21 MS16-047: Windows SAM and LSAD Downgrade Vulnerability (Badlock)* CVE-2016-0128 2008

22 SSL/TLS EXPORT_RSA Weak Configuration (FREAK) CVE-2015-0204 1937

23 Dropbear SSH Server < 2013.59, Multiple Vulnerabilities CVE-2013-4421 1923

24 TLS CRIME Vulnerability CVE-2012-4929 1908

25 SSL / TLS Renegotiation DoS CVE-2011-1473 1654

* Uncredentialed check

16 · Protiviti 26 Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key CVE-2002-1623 1540

27 Microsoft Windows Unquoted Service Path Enumeration CVE-2013-1609 1430

28 Microsoft Windows Kernel Win32k.sys PATHRECORD chain Multiple Vulnerabilities CVE-2013-3660 1398

29 MS15-034: Vulnerability in HTTP.sys Remote Code Execution CVE-2015-1635 1364

30 MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Remote Code Execution CVE-2010-3190 1237

SSL vulnerabilities dominate the top 30 highest count.

Top 10 External Exploits

Apache HTTP Server Byte Range DoS CVE-2011-3192 426

MS15-034: Windows HTTP.sys Remote Code Execution 379 Vulnerability CVE-2015-1635

Apache 2.2 < 2.2.22 Multiple Vulnerabilities CVE-2011-3368 183

OpenSSL AES-NI Padding Oracle MitM Information Disclosure 141 CVE-2016-2107 MS15-004: Directory Traversal Elevation of Privilege Vulnerability 86 CVE-2015-0016 Microsoft Windows Unquoted Service Path Enumeration 77 CVE-2013-1609 SSLv3 Padding Oracle On Downgraded Legacy Encryption 47 Vulnerability (POODLE) CVE-2014-3566 MS17-010: Windows SMB Remote Code Execution 40 (EternalBlue) CVE-2017-0143

PHP < 5.3.9 Multiple Vulnerabilities CVE-2011-3379 37

Cisco ASA / IOS IKE Fragmentation Vulnerability CVE-2016-1287 29

0 50 100 150 200 250 300 350 400 450

Missing Microsoft patch MS17-010, which WannaCry used as a transport method, cracked the list of top 10 external exploits in less than a year.

protiviti.com 2018 Security Threat Report · 17 Top 10 External Vulnerabilities by Count

SSL RC4 Cipher Suites Supported | CVE-2013-2566 12970

SSLv3 Padding Oracle On Downgraded Legacy Encryption 6589 Vulnerability (POODLE) | CVE-2014-3566

SSL Version 2 (v2) Protocol Detection | CVE-2005-2969 2926

HTTP TRACE / TRACK Methods Allowed | CVE-2003-1567 2481

Web Server HTTP Header Internal IP Disclosure | CVE-2000-0649 2056

SSH Server CBC Mode Ciphers Enabled CVE-2008-5161 1835

Apache HTTP Server httpOnly Cookie Information 1522 Disclosure | CVE-2012-0053

SSL Certiﬁcate Signed Using Weak Hashing Algorithm | CVE-2004-2761 1460

Internet Key Exchange (IKE) Aggressive Mode 1255 with Pre-Shared Key CVE-2002-1623 SSL 64-bit Block Size Cipher Suites Supported 1060 (SWEET32) | CVE-2016-2183 0 2000 4000 6000 8000 10000 12000 14000

Most external vulnerabilities relate to web servers.

18 · Protiviti Top 10 Internal Exploits by Count

HP System Management Homepage < 7.0 Multiple 2041 Vulnerabilities CVE-2009-0037 Windows Kernel Win32k.sys, Multiple Vulnerabilities 1398 CVE-2013-3660 MS15-034: Windows HTTP.sys Remote Code 985 Execution Vulnerability CVE-2015-1635

Apache HTTP Server Byte Range DoS CVE-2011-3192 696

MS13-047: Internet Explorer Memory Corruption Vulnerability 659 CVE-2013-3110 Oracle Java SE Multiple Vulnerabilities 562 (April 2013 CPU) CVE-2013-0401 Oracle Java JDK/JRE Remote Code Execution Vulnerability 383 CVE-2013-0809

Splunk Enterprise < 6.4.2 CVE-2013-0211 313

Web Server Directory Traversal Arbitrary File Access 259 CVE-2000-0920 MS17-010: Windows SMB Remote Code Execution 244 (EternalBlue) CVE-2017-0143 0 500 1000 1500 2000 2500

EternalBlue cracked the top 10 list of internal exploits by count, as well.

protiviti.com 2018 Security Threat Report · 19 Top 10 Ports with Internal Vulnerabilities

microsoft-ds (445) 01 46142

https (443) 02 16502

http (80) 03 14838

ssh (22) 04 7784

netbios-ssn (139) 05 7549

dcom-scm (135) 06 6093

telnet (23) 07 5593

h323 (1720) 08 3425

netbios-ns (137) 09 2989

sunrpc (111) 10 2801

Top 10 Internal Vulnerabilities by Count

Microsoft Windows Remote Desktop Protocol Server 50296 MiTM Weakness | CVE-2005-1794

SSL RC4 Cipher Suites Supported CVE-2013-2566 30314

SSH Server CBC Mode Ciphers Enabled | CVE-2008-5161 17365

SSL Certiﬁcate Signed Using Weak Hashing Algorithm 13357 CVE-2004-2761 SSLv3 Padding Oracle On Downgraded Legacy Encryption 12493 Vulnerability (POODLE) | CVE-2014-3566 SSL RC4 Cipher Suites Supported 10833 CVE-2013-2566 Microsoft Windows SMB NULL Session Authentication 10102 CVE-1999-0519 SSL / TLS Renegotiation Handshakes MiTM Plaintext 4351 Data Injection CVE-2009-3555 SSL/TLS Difﬁe-Hellman Modulus <= 1024 Bits 3734 (SSL/TLS Logjam Vulnerability) | CVE-2015-4000 SNMP Agent Default Community Name (public) 3426 CVE-1999-0517 0 10000 20000 30000 40000 50000 60000

20 · Protiviti Total Exploits (External and Internal) Over Time

1600 1509 1400

1200

1000

800 709 703 695 600 565 433 400

331 200 69 7 0 2009 2010 2011 2012 2013 2014 2015 2016 2017

In 2015, significant exploits included Adobe Flash and Microsoft Office vulnerabilities.

protiviti.com 2018 Security Threat Report · 21 Total Vulnerabilities (External and Internal) Over Time

16000

14000

12000 10829 10000

8000

6235 6813 6000 4541 4000 3304 3376 3251 2000 1358

0 255 2009 2010 2011 2012 2013 2014 2015 2016 2017

As expected, the number of vulnerabilities identified over time is increasing.

22 · Protiviti Overall Industry Findings (2009 – 2017)

Vulnerability Severity by Industry

Technology, Media & 238 Telecommunications 631

956 Manufacturing 1594

1614 Healthcare & Life Sciences 2374

Financial Services 1771 2790

611 Energy & Utilities 974

556 Education 895

1549 Consumer Products & Services 2537

0 500 1000 1500 2000 2500 3000

Critical and High Unique Vulnerabilities Unique Vulnerabilities

Technology, Media and Telecommunications organizations had the lowest percentage of vulnerabilities that were “critical” or “high” in severity.

NOTES: Organizations included by industry and number of scans/tests performed: Consumer Products & Services 36%, Financial Services 29%, Healthcare & Life Sciences 10%, Technology, Media & Telecommunications 9%, Manufacturing 8%, Energy & Utilities 7%, Education 1%.

protiviti.com 2018 Security Threat Report · 23 Exploits by Industry

Technology, Media & 31 Telecommunications 37

73 Manufacturing 88

143 Healthcare & Life Sciences 165

Financial Services 150 181

54 Energy & Utilities 66

71 Education 85

135 Consumer Products & Services 159

0 20 40 60 80 100 120 140 160 180 200

Critical and High Unique Exploits Unique Exploits

By their very nature, most exploits are considered “critical” or “high” in severity.

24 · Protiviti Financial Services

Top 10 Overall Exploits (External and Internal)

Windows HTTP.sys Remote Code Execution 1398 Vulnerability CVE-2013-3660

HP System Management Homepage < 7.0 Multiple 908 Vulnerabilities CVE-2009-0037

MS13-047: Internet Explorer Memory Corruption 650 Vulnerability CVE-2013-3110

MS15-034: Windows HTTP.sys Remote Code Execution 583 Vulnerability (uncredentialed check) CVE-2015-1635

Oracle Java SE Multiple Vulnerabilities 560 (April 2013 CPU) CVE-2013-0401

Apache HTTP Server Byte Range DoS CVE-2011-3192 510

Oracle Java JDK/JRE Remote Code Execution 381 Vulnerability CVE-2013-0809

Splunk Enterprise < 6.4.2 or Splunk Light < 6.4.2 Multiple 302 Vulnerabilities CVE-2013-0211

Adobe Acrobat < 10.0.1 Multiple Vulnerabilities CVE-2010-4091 189

MS17-010: Windows SMB Remote Code Execution 175 (EternalBlue) CVE-2017-0143

0 200 400 600 800 1000 1200 1400 1600

protiviti.com 2018 Security Threat Report · 25 Financial Services (cont.)

Top 10 Overall Exploits by Port (External and Internal)

microsoft-ds (445) 01 15840

https (443) 02 9411

http (80) 03 6621

netbios-ssn (139) 04 4261

ssh (22) 05 3310

sunrpc (111) 06 1263

telnet (23) 07 1211

netbios-ns (137) 08 463

dcom-scm (135) 09 435

snmp (161) 10 417

26 · Protiviti Financial Services (cont.)

Top 10 Overall Vulnerabilities (External and Internal)

Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 17608

SSL RC4 Cipher Suites Supported 9253

SSH Server CBC Mode Ciphers Enabled 5662

SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 5451

Microsoft Windows SMB NULL Session Authentication 3575

HTTP TRACE / TRACK Methods Allowed 2169

SSL Version 2 Protocol Detection 1967

Apache HTTP Server httpOnly Cookie Information Disclosure 1779

RomPager HTTP Referer Header XSS 1705

Microsoft Windows Kernel Win32k.sys PATHRECORD chain Multiple Vulnerabilities 1398

protiviti.com 2018 Security Threat Report · 27 Consumer Products and Services

Top 10 Overall Exploits (External and Internal)

HP System Management Homepage < 7.1.1 548 Multiple Vulnerabilities CVE-2011-1944

Apache HTTP Server Byte Range DoS CVE-2011-3192 230

OpenSSL AES-NI Padding Oracle MiTM 143 Information Disclosure CVE-2016-2107

MS17-010: Windows SMB Remote Code Execution 131 (EternalBlue) CVE-2017-0143

Apache 2.2 < 2.2.28 Multiple Vulnerabilities CVE-2013-5704 121

OpenSSL Heartbeat Information Disclosure 87 (Heartbleed) CVE-2014-0160

MS10-096: Windows Address Book Insecure Library 77 Loading Vulnerability CVE-2010-3147

MS10-073: Win32k Reference Count 76 Vulnerability CVE-2010-2549

MS11-027: Microsoft Windows 8 Developer Tools 68 Vulnerability CVE-2010-0811

MS11-019: Browser Pool Corruption 67 Vulnerability CVE-2011-0654

0 100 200 300 400 500 600

Consumer Products and Services organizations had more MS17-010 exploits identified than other industries.

28 · Protiviti Consumer Products and Services (cont.)

Top 10 Overall Exploits by Port (External and Internal)

https (443) 01 12816

microsoft-ds (445) 02 8058

http (80) 03 4824

dcom-scm (135) 04 2627

telnet (23) 05 1966

ssh (22) 06 1767

sunrpc (111) 07 1039

rdp (3389) 08 1034

netbios-ssn (139) 09 1015

netbios-ns (137) 10 894

protiviti.com 2018 Security Threat Report · 29 Consumer Products and Services (cont.)

Top 10 Overall Vulnerabilities (External and Internal)

Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 9342

SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 6003

SSL Certificate Signed Using Weak Hashing Algorithm 5461

SSH Server CBC Mode Ciphers Enabled 4008

SSL Version 2 Protocol Detection 1781

Web Server HTTP Header Internal IP Disclosure 1579

Microsoft Windows SMB NULL Session Authentication 1385

HTTP TRACE / TRACK Methods Allowed 948

Apache HTTP Server httpOnly Cookie Information Disclosure 880

SNMP Agent Default Community Name 817

30 · Protiviti Education

Top 10 Overall Exploits (External and Internal)

Apache HTTP Server Byte 34 Range DoS CVE-2011-3192

Apache 2.2 < 2.2.28 Multiple 13 Vulnerabilities CVE-2013-5704

PHP < 5.3.9 Multiple 12 Vulnerabilities CVE-2011-3379

Microsoft Windows Unquoted Service Path Enumeration 10 CVE-2013-1609

Apache Struts2 / XWork Remote 8 Code Execution CVE-2010-1870

Web Server Directory Traversal Arbitrary File Access 6 CVE-2000-0920

MS15-009: Internet Explorer Use-after- 6 free Vulnerability CVE-2014-8967

MS14-058: Win32k.sys Privilege 5 Escalation Vulnerability CVE-2014-4113

MS14-056: Internet Explorer Elevation 5 of Privilege Vulnerability CVE-2014-4123

Adobe Reader < 10.0.1 Multiple 5 Vulnerabilities CVE-2010-4091

0 5 10 15 20 25 30 35

protiviti.com 2018 Security Threat Report · 31 Education (cont.)

Top 10 Overall Exploits by Port (External and Internal)

http (80) 01 1173

netbios-ssn (139) 02 934

microsoft-ds (445) 03 424

https (443) 04 344

dcom-scm (135) 05 292

telnet (23) 06 125

ssh (22) 07 107

ntp (123) 08 67

sunrpc (111) 09 48

netbios-ns (137) 10 33

32 · Protiviti Education (cont.)

Top 10 Overall Vulnerabilities (External and Internal)

SSL RC4 Cipher Suites Supported 948

Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 426

HTTP TRACE / TRACK Methods Allowed 241

Apache HTTP Server httpOnly Cookie Information Disclosure 193

SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 163

SSL Version 2 Protocol Detection 107

Microsoft Windows SMB NULL Session Authentication 84

SNMP Agent Default Community Name 61

Web Server Generic XSS 37

Apache HTTP Server Byte Range DoS 34

protiviti.com 2018 Security Threat Report · 33 Energy and Utilities

Top 10 Overall Exploits (External and Internal)

HP System Management Homepage < 7.1.1 104 Multiple Vulnerabilities CVE-2011-1944

Apache HTTP Server Byte Range DoS CVE-2011-3192 27

MS15-034: Windows HTTP.sys Remote Code Execution 18 Vulnerability (uncredentialed check) CVE-2015-1635

MS11-004: IIS FTP Service Heap Buffer Overrun 18 Vulnerability CVE-2010-3972

Apache 2.2 < 2.2.28 Multiple Vulnerabilities CVE-2013-5704 13

HP LaserJet PJL Interface Directory Traversal CVE-2010-4107 11

Web Server Directory Traversal 9 Arbitrary File Access CVE-2000-0920

MS08-067: Server Service Vulnerability CVE-2008-4250 8

MS13-037: Internet Explorer Use-after-free 7 Vulnerability CVE-2013-0811

MS12-008: GDI Access Violation 7 Vulnerability CVE-2011-5046

0 20 40 60 80 100 120

34 · Protiviti Energy and Utilities (cont.)

Top 10 Overall Exploits by Port (External and Internal)

microsoft-ds (445) 01 1944

https (443) 02 851

http (80) 03 467

ssh (22) 04 438

telnet (23) 05 221

ftp (21) 06 177

netbios-ns (137) 07 126

netbios-ssn (139) 08 119

snmp (161) 09 105

dcom-scm (135) 10 59

protiviti.com 2018 Security Threat Report · 35 Energy and Utilities (cont.)

Top 10 Overall Vulnerabilities (External and Internal)

SSL RC4 Cipher Suites Supported 2275

Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 1801

SSH Server CBC Mode Ciphers Enabled 999

SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 488

SSL Version 2 Protocol Detection 351

SNMP Agent Default Community Name 332

Microsoft Windows SMB NULL Session Authentication 267

RomPager HTTP Referer Header XSS 199

SSH Protocol Version 1 Session Key Retrieval 181

MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution 148

36 · Protiviti Healthcare and Life Sciences

Top 10 Overall Exploits (External and Internal)

HP System Management Homepage < 7.1.1 411 Multiple Vulnerabilities CVE-2011-1944

MS17-010: Windows SMB Remote Code Execution 238 (EternalBlue) CVE-2017-0143

Web Server Directory Traversal Arbitrary 195 File Access CVE-2000-0920

Apache HTTP Server Byte Range DoS CVE-2011-3192 192

Microsoft Windows Unquoted Service 151 Path Enumeration CVE-2013-1609

MS15-034: Windows HTTP.sys Remote Code Execution 136 Vulnerability CVE-2015-1635

GNUC C Library < 2.23 Multiple Vulnerabilities 99 CVE-2015-7547

Apache 2.2 < 2.2.22 Multiple Vulnerabilities CVE-2011-3368 96

MS08-067: Server Service Vulnerability CVE-2008-4250 77

Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet 58 Marshalled Object Remote Code Execution CVE-2012-0874

0 50 100 150 200 250 300 350 400 450

protiviti.com 2018 Security Threat Report · 37 Healthcare and Life Sciences (cont.)

Top 10 Overall Exploits by Port (External and Internal)

microsoft-ds (445) 01 15916

https (443) 02 2367

http (80) 03 1966

telnet (23) 04 1948

ssh (22) 05 1700

netbios-ns (137) 06 1421

ftp (21) 07 974

netbios-ssn (139) 08 900

sunrpc (111) 09 340

raw (9100) 10 314

38 · Protiviti Healthcare and Life Sciences (cont.)

Top 10 Overall Vulnerabilities (External and Internal)

Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 15721

SSL RC4 Cipher Suites Supported 14456

SSH Server CBC Mode Ciphers Enabled 5786

SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 3992

Microsoft Windows SMB NULL Session Authentication 3092

Dropbear SSH Server < 2013.59 Multiple Vulnerabilities 1211

MS16-047: Security Update for SAM and LSAD Remote Protocols 936

SNMP Agent Default Community Name 760

SSL Version 2 Protocol Detection 596

Chargen UDP Service Remote DoS 530

protiviti.com 2018 Security Threat Report · 39 Manufacturing

Top 10 Overall Exploits (External and Internal)

MS15-034: Windows HTTP.sys Remote Code Execution 344 Vulnerability (uncredentialed check) CVE-2015-1635

HP System Management Homepage < 7.1.1 194 Multiple Vulnerabilities CVE-2011-1944

Apache HTTP Server Byte Range DoS CVE-2011-3192 70

Microsoft Windows Unquoted Service Path 59 Enumeration CVE-2013-1609

MS14-064: Windows OLE Automation Array Remote Code 57 Execution Vulnerability CVE-2014-6332

Apache 2.2 < 2.2.28 Multiple Vulnerabilities CVE-2013-5704 46

MS08-067: Server Service Vulnerability CVE-2008-4250 35

Web Server Directory Traversal Arbitrary 32 File Access CVE-2000-0920

MS14-070: TCP/IP Elevation of Privilege 30 Vulnerability CVE-2014-4076

MS14-062: Unvalidated Address in IRP Handler Privilege 30 Elevation Vulnerability CVE-2014-4971

0 50 100 150 200 250 300 350

40 · Protiviti Manufacturing (cont.)

Top 10 Overall Exploits by Port (External and Internal)

http (80) 01 3142

microsoft-ds (445) 02 2406

https (443) 03 1525

netbios-ssn (139) 04 1143

telnet (23) 05 345

h323 (1720) 06 237

ssh (22) 07 222

ftp (21) 08 172

netbios-ns (137) 09 95

dcom-scm (135) 10 76

protiviti.com 2018 Security Threat Report · 41 Manufacturing (cont.)

Top 10 Overall Vulnerabilities (External and Internal)

Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 3192

SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 2147

SSL RC4 Cipher Suites Supported 1925

RomPager HTTP Referer Header XSS 1481

SSH Server CBC Mode Ciphers Enabled 1329

Microsoft Windows SMB NULL Session Authentication 1267

MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution 581

SNMP Agent Default Community Name 505

HTTP TRACE / TRACK Methods Allowed 384

MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution 365

42 · Protiviti Technology, Media and Telecommunications

Top 10 Overall Exploits (External and Internal)

MS15-034: Windows HTTP.sys Remote Code Execution 344 Vulnerability (uncredentialed check) CVE-2015-1635

HP System Management Homepage < 7.1.1 194 Multiple Vulnerabilities CVE-2011-1944

Apache HTTP Server Byte Range DoS CVE-2011-3192 70

Microsoft Windows Unquoted Service 59 Path Enumeration CVE-2013-1609

MS14-064: Windows OLE Automation Array Remote Code 57 Execution Vulnerability CVE-2014-6332

Apache 2.2 < 2.2.28 Multiple Vulnerabilities CVE-2013-5704 46

MS08-067: Server Service Vulnerability CVE-2008-4250 35

Web Server Directory Traversal Arbitrary 32 File Access CVE-2000-0920

MS14-062: Unvalidated Address in IRP Handler Privilege 30 Elevation Vulnerability CVE-2014-4971

MS14-070: Vulnerability in TCP/IP Elevation of 30 Privilege CVE-2014-4076

0 50 100 150 200 250 300 350

protiviti.com 2018 Security Threat Report · 43 Technology, Media and Telecommunications (cont.)

Top 10 Overall Exploits by Port (External and Internal)

h323 (1720) 01 3032

microsoft-ds (445) 02 2907

https (443) 03 2787

ssh (22) 04 1097

http (80) 05 980

ﬁnger (79) 06 253

netbios-ssn (139) 07 187

telnet (23) 08 134

ntp (123) 09 78

netbios-ns (137) 10 67

44 · Protiviti Technology, Media and Telecommunications (cont.)

Top 10 Overall Vulnerabilities (External and Internal)

SSL RC4 Cipher Suites Supported 4840

Microsoft Windows Remote Desktop Protocol Server MiTM Weakness 1673

SSH Server CBC Mode Ciphers Enabled 1087

SSL Version 2 Protocol Detection 874

SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 787

Web Server HTTP Header Internal IP Disclosure 738

Microsoft Windows SMB NULL Session Authentication 496

HTTP TRACE / TRACK Methods Allowed 420

Apache HTTP Server httpOnly Cookie Information Disclosure 226

Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key 208

protiviti.com 2018 Security Threat Report · 45 Key Questions to Consider

Following are some suggested questions that CIOs and • Are we protected from insider threats? IT leaders should consider, based on the context of and • Are web applications developed and maintained in a risks inherent in the entity’s operations: manner to resist attack? • Are our systems correctly configured to prevent • Do our employees know how to identify and respond hackers from getting in? to attacks? • Does our organization have a good handle on its asset inventory? Specifically, do we know what’s exposed on the internet and what’s not? Is it protected?

Final Thoughts

Over the past decade, the cyber threat landscape vulnerabilities better, organizations should perform a clearly has been perilous for organizations and comprehensive assessment to identify their security undoubtedly will remain so in the years ahead. What can vulnerabilities and threats. Further, the calls to action organizations learn from all of this? Perhaps the key detailed earlier provide a roadmap for organizations to lesson is that any organization most likely has security improve their overall security posture. vulnerabilities in one or more areas. To understand these

46 · Protiviti ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

CONTACTS

Kurt Underwood Scott Laliberte Andrew Retrum Managing Director Managing Director Managing Director Global Leader, Technology Consulting Practice +1.267.256.8825 +1.312.476.6353 +1.206.262.8389 [email protected] [email protected] [email protected]

Randy Armknecht Michael Walter Tom Stewart Managing Director Managing Director Director +1.312.476.6428 +1.303.898.9145 +1.312.931.8901 [email protected] [email protected] [email protected]

protiviti.com 2018 Security Threat Report · 47 © 201 Protiviti Inc. An Equal Opportunity Employer. M/F/Disability/Vet. PRO-041 M/F/Disability/Vet. © 201 Protiviti Inc. An Equal Opportunity Employer.

THE AMERICAS UNITED STATES Indianapolis Sacramento ARGENTINA* COLOMBIA* Alexandria Kansas City Salt Lake City Buenos Aires Bogota Atlanta Los Angeles San Francisco Baltimore Milwaukee San Jose BR AZIL* MEXICO* Boston Minneapolis Seattle Rio de Janeiro Mexico City Sao Paulo Charlotte New York Stamford PERU* Chicago Orlando St. Louis CANADA Lima Cincinnati Philadelphia Tampa Kitchener-Waterloo Cleveland Phoenix Washington, D.C. Toronto VENEZUELA* Dallas Pittsburgh Winchester Caracas Fort Lauderdale Portland Woodbridge CHILE* Houston Richmond Santiago

EUROPE FRANCE NETHERLANDS KUWAIT* SAUDI ARABIA* UNITED ARAB MIDDLE EAST Paris Amsterdam Kuwait City Riyadh EMIRATES* AFRICA Abu Dhabi GERMANY UNITED KINGDOM OMAN* Dubai Frankfurt London Muscat Munich BAHRAIN* QATAR* ITALY Manama Doha Milan Rome Turin

ASIA-PACIFIC CHINA JAPAN INDIA* AUSTRALIA Beijing Osaka Bangalore Brisbane Hong Kong Tokyo Hyderabad Canberra Shanghai Kolkata Melbourne Shenzhen SINGAPORE Mumbai Sydney Singapore New Delhi

*MEMBER FIRM

© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0418-101105 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.