Public Vulnerability Research Market in 2014 The Evolving Threat Environment During the Internet of Things Era NFDF-74 November 2015 Research Team Lead Analyst Contributing Analyst Pamela Tufegdzic Chris Kissel Industry Analyst Industry Analyst ICT – Network Security ICT – Network Security (248) 259-2053 (623) 910-7986 [email protected] [email protected] Vice President of Research Research Director Michael Suby Frank Dickson VP of Research Research Director Stratecast/Frost & Sullivan ICT — Network Security (720) 344-4860 (469) 387-0256 [email protected] [email protected] NFDF-74 2 List of Exhibits Section Slide Number Executive Summary 8 Market Overview 10 • Market Overview – Research Objectives 11 • Market Overview (continued) 12 • Market Overview—Best Practices Public Vulnerability Disclosure 17 • Market Overview—The Evolving Attacker 18 • Market Overview—Terminology and Definitions 19 • Market Overview—Key Questions This Insight Answers 22 Research Methodology 23 Cyber Threat Analysis and Reporting 26 Introduction to Cyber Threat Analysis and Reporting 27 The Internet of Things 28 The Internet of Things—(continued) 29 NFDF-74 3 List of Exhibits (continued) Section Slide Number • SCADA 31 • Software―Java 33 • Malware 34 • Mobile Malware 37 Market Trends in Public Vulnerabilities 38 • Vulnerabilities Reported by Year 39 • Vulnerabilities Reported by Quarter 40 • Market Trends 41 • Vulnerability Disclosure 43 • Vulnerability Disclosure by Organization Type 46 • Analysis of Vulnerabilities by Severity 49 NFDF-74 4 List of Exhibits (continued) Section Slide Number Comparison of Targeted Applications 59 • Targeted Applications 60 • Analysis of Targeted Applications 61 • Top Targeted Types of Applications 62 • Disclosing Institutions: Web Browser Vulnerabilities 63 • Disclosing Institutions: Media Applications Vulnerabilities 64 • Disclosing Institutions: Server Vulnerabilities 65 • Disclosing Institutions: Business Applications Vulnerabilities 66 • Analysis of Targeted Applications by Type 67 • Targeted Web Browser Type 70 • Analysis of Targeted Web Browser Type 72 Vulnerability Analysis 73 • Vulnerability Definitions 74 • Vulnerabilities Reported by Flaw Type (For 2013) 76 • Vulnerabilities Reported by Flaw Type (2014) 77 NFDF-74 5 List of Exhibits (continued) Section Slide Number • Disclosing Institutions: Buffer Overflow Errors 78 • Disclosing Institutions: Code Injection Errors 79 • Top Impact Type 80 • Analysis of Impact Types 82 Competitive Analysis 83 • Competitive Analysis Verified Vulnerabilities 84 • Competitive Analysis Verified and Unverified Vulnerabilities 87 Status of Public Vulnerabilities 89 Conclusions 93 • Certification 95 Appendix 96 • Vulnerability Database Sources (for 2014) 97 • List of Publications Cited in This Report 98 Legal Disclaimer 99 NFDF-74 6 List of Exhibits (continued) Section Slide Number The Frost & Sullivan Story 100 • Value Proposition: Future of Your Company & Career 102 • Global Perspective 103 • Industry Convergence 104 • 360º Research Perspective 105 • Implementation Excellence 106 • Our Blue Ocean Strategy 107 NFDF-74 7 Executive Summary Return to contents NFDF-74 8 Executive Summary—Key Findings • 728 software vulnerabilities were reported publicly by research organizations in 2014. o In 2014, critical vulnerabilities that rated 10.0 in severity amounted to 12.4% of vulnerabilities disclosed, which was down from the 24.5% reported in 2013. o High-severity vulnerabilities accounted for 30.6% of disclosed vulnerabilities (down from 44.1% percent in 2013). o Medium and low-severity vulnerabilities represented 51.5% and 3.2% of vulnerabilities disclosed, respectively in 2014. Highlighting that better security measures with improved time-to-patch rate is helping to improve vulnerability severity ratings in 2014. o HPE had the most verified vulnerabilities reported with 317 proving the veracity of the HPE Tipping Point contributor program. • Hewlett-Packard Enterprise (HPE) found 150 critical and high-severity vulnerabilities (vulnerabilities are labeled critical severity if they have a common vulnerability scoring system (CVSS) base score of 10.0 and rated high severity with a CVSS base score of 9.9 – 7.0). All other disclosing companies accounted for 163 high-severity vulnerabilities. • Buffer overflow errors were the most common vulnerability flaw in 2013 and remained so in 2014. HPE found 125 incidents of buffer overflow errors in 2014, followed by Verisign iDefense, which found 14 vulnerabilities related to buffer overflow errors. • In 2014, the top six applications with the most vulnerabilities were Microsoft Internet Explorer, Oracle Java Runtime Environment, Microsoft Windows, Adobe Flash Player, Apple QuickTime, and Adobe Reader. • Frost & Sullivan counted 197 vulnerabilities (or 27.1% of all vulnerabilities) directly related to Web applications. • SCADA vulnerabilities increased from 25 in 2013 to 33 in 2014. • Researchers are looking at more than just network-attached endpoints for vulnerabilities. Web applications and browsers, malware, mobile malware, SCADA, and the Internet of Things are increasingly scrutinized. • Legacy systems and software that are no longer supported are a major concern for IT departments. On April 14, 2014, Microsoft discontinued its technical support for Windows XP on most devices and all PCs. There are an estimated 300 million PCs actively running on XP. Source: Frost & Sullivan analysis. NFDF-74 9 Market Overview NFDF-74 10 Research Objectives Primary Objective Secondary Objectives To acquire, record, and derive • To identify and promote prolific an insightful understanding reporters of vulnerabilities of Public Vulnerability Research from reliable vulnerability • To highlight and emphasize the vendors and research strongest work produced by laboratories in 2014 companies engaging in public vulnerability research reports • To analyze the gathered vulnerability data for trends and common factors Source: Frost & Sullivan analysis. NFDF-74 11 Market Overview • The following is both a study about software vulnerabilities and the companies that publicly disclose vulnerabilities. • A security vulnerability is any error in an IT system that can be exploited by an attacker to compromise the confidentiality or integrity of a system or to deny legitimate user access to a system. Other industry terms for security vulnerabilities include “software bug” and “flaw.” • In the past, the process by which the analysis of vulnerabilities was shared with third parties was subject to much debate, as full disclosure is the practice of making the details of security vulnerabilities public. o There is much debate in making vulnerabilities public because keeping vulnerabilities secret or not public keeps them out of the hands of hackers, but this assumes that hackers can’t discover vulnerabilities on their own. From the organization side, keeping vulnerabilities secret assumes organizations will spend time and money fixing secret vulnerabilities . Both assumptions have proven to be false. o Hackers have proven to be quite adept at discovering secret vulnerabilities. Full disclosure forces organizations to routinely patch their systems. • Organizations tend to treat vulnerabilities less as a software problem and more as a public relations (PR) problem. This is where full disclosure comes into play by making the PR problem more acute, organizations are then quick to patch vulnerabilities. o Naturally organizations receiving negative PR every time a vulnerability is made public quickly release a patch fixing the vulnerability in order to minimize the impact of negative PR. • Full disclosure of vulnerabilities helped shape the standardization of how vulnerabilities are tracked, managed and stored. Source: Frost & Sullivan analysis. NFDF-74 12 Market Overview (Continued) • Since 1999, the MITRE Corporation is responsible for certification and accreditation of the Common Vulnerabilities and Exposures (CVE), enabling standardization of how public vulnerabilities are tracked, managed and stored. • The MITRE Corporation (a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs) that provide innovative, practical solutions for some of the United States critical challenges) operates the National Cyber Security FFRDC to enhance cyber security and protect national information systems. o Funding for the MITRE Corporation comes from the National Cyber Security Division of the United States Department of Homeland Security. • The MITRE documentation defines CVE identifiers (also called CVE numbers, CVE-IDs and CVEs) as unique common identifiers for publicly known information-security vulnerabilities in publically released software packages. • In other words, the CVE is a dictionary of common names for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools and provide a baseline for evaluating the coverage of an organization’s security tools enabling a quick and accurate assessment of how to remediate vulnerabilities. Source: Frost & Sullivan analysis. NFDF-74 13 Market Overview (Continued) • CVEs (vulnerabilities) are assigned by a CVE Numbering Authority (CNA); there are three primary types of CVE number assignments: o The MITRE Corporation functions as editor and primary CNA. o Various CNAs assign CVE entries for their own products (i.e. Microsoft, HPE, Oracle, etc.). o Red Hat (multinational software company
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages106 Page
-
File Size-