#69 -CYBER SECURITY VULNERABILITIES – MARK BERNARD

Mark BernardI wrote the following article to help clarify CyberSecurity Threats and vulnerabilities, so that we can facilitate better risk assessment. This assessment of software vulnerabilities was based on data pulled from the Common Vulnerability and Exposure database. For added context below I included statistics from Q1 RedSocks Report on Malware. It’s apparent that the CVE only registers a small percentage of the overall vulnerabilities. This report supports the need for ongoing vulnerability management, however there is an equally important emphasis on regular security testing and integration with product development and change management.

  • Common Vulnerabilities & Exposures 61,439
  • New malicious files 8,206,419
  • Detection by Anti-Virus software 6,153,370
  • Undetected 2,053,049

I choose a sampling of the top brands and products used in most infrastructures today. I used three pieces of information for the assessment, the total number of products, total vulnerabilities and total exposures.

Not all vulnerabilities have published exploits, but that does not diminish the potential risk associated with these vulnerabilities in the absence of formal Information Security Management System. After considering the type of vulnerabilities that exist and the number of products that the vendor produces we can draw some conclusions regarding their approach to Quality Management, information security and the protection of the businesses they protect from Cyber Criminals. Some of these vulnerabilities include Denial of Service, Overflow, Execute Code, Bypass Something, Gain Information, Gain Privilege, XSS, SQL Injection, Directory Traversal, CSRF, Memory Corruption, and File Inclusion. Each of these vulnerabilities represents a potential opportunity for Cyber Criminals.

Security weaknesses exist within the defense-in-depth security architecture.

  • Microsoft: 378 Products,3483 Vulnerabilities, 184 Exploits.
  • Apple: 100 Products, 2284 Vulnerabilities, 45 Exploits.
  • Oracle: 241 Products, 2258 Vulnerabilities, 23 Exploits.
  • IBM: 566 Products, 2073 Vulnerabilities, 32 Exploits.
  • Linux: 13 Products, 1208 Vulnerabilities, 23 Exploits.
  • HP: 1594 Products, 1126 Vulnerabilities, 34 Exploits.
  • Google: 39 Products, 1095 Vulnerabilities, 16 Exploits.
  • VMWare: 56 Products, 204 Vulnerabilities, 5 Exploits.
  • OpenOffice: 2 Products, 35 Vulnerabilities, 1         Exploits.

I was surprise that only one of the top 5 Enterprise, Resource and Planning system (ERP) vendors, (SAP), actually publishes vulnerabilities, I expected to see all of them. The top five are, #1.Epicor, #2.Infor, #3.Microsoft Dynamics, #4.Oracle Financials, and #5.SAP. What are the others hiding?

  •  SAP: 84 Products, 178 Vulnerabilities, 12 Exploits.

I was also surprised to see some of the top security vendor products listed with serious deficiencies that potentially expose customers and weaken the defense in depth security architecture that many businesses and citizens have come to depend upon. These include CISCO, HP, VMWare, McAfee, Symantec and Alienvault.

  • CISCO: 1064 Products, 1817 Vulnerabilities, 27 Exploits.
  • McAfee: 78 Products, 139 Vulnerabilities, 6 Exploits.
  • Symantec: 183                  Products, 92 Vulnerabilities, 12 Exploits.
  • Websense: 19 Products, 27 Vulnerabilities, 0 Exploits.
  • Alienvault: 3 Products, 17 Vulnerabilities, 4 Exploits.
  • Splunk: 1 Products, 15 Vulnerabilities, 2 Exploits.

Conclusion: The results speak for themselves, Quality Management does not appear to exist and consumers and organizations  have been forced to take on security risks that should have been mitigated by the manufacturers and developers. Its time that information security was treated as important as financial data. Legislation for the quality of products facing the Internet needs to be imposed to stop the leaking. Governments creating CyberSecurity Armies are wasting their time. If information security was imposed on software developers and reinforced with regular audits and certifications CyberSecurity Risks would be dramatically reduced.

Businesses would benefit from building better CyberSecure products by lowering operational risks and increasing market uptake.

Bio:

Mark E.S. Bernard, CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001, SABSA-F2

Information Security, Privacy, Governance ,Risk Management, Consultant.  Mark has 24 years of proven experience within the domain of Information Security, Risk, Governance and Compliance.  Mark has led teams of 30 or more as a Director and Project Manager and managed budgets of $5 Million +.  Mark has also provided over sight as a senior manager during government outsourcing contract valued at $300 million and smaller contracts for specialized services for ERP systems and security testing.  Mark has led his work-stream during RFP process, negotiations, on-boarding, contract renegotiation and as Service Manager.  Mark has architected information security and privacy programs based on ISO 27001 and reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality Management ISO 9001.   He can be reached at: mesbernard@gmail.com

 

Leave a Reply

Your email address will not be published. Required fields are marked *