internet security tHreAt rePOrt GOVernMent 2013
internet security tHreAt rePOrt GOVernMent 2013
internet security tHreAt rePOrt GOVernMent 2013
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
p. 138<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Total Number of Vulnerabilities<br />
Background<br />
The total number of vulnerabilities for 2012 is based on research<br />
from independent <strong>security</strong> experts and vendors of affected<br />
products. The yearly total also includes zero-day vulnerabilities<br />
that attackers uncovered and were subsequently identified<br />
post-exploitation. Calculating the total number of vulnerabilities<br />
provides insight into vulnerability research being conducted in<br />
the threat landscape. There are many motivations for conducting<br />
vulnerability research, including <strong>security</strong>, academic, promotional,<br />
software quality assurance, and, of course, the malicious<br />
motivations that drive attackers. Symantec gathers information<br />
on all of these vulnerabilities as part of its DeepSight<br />
vulnerability database and alerting services. Examining these<br />
trends also provides further insight into other topics discussed in<br />
this report.<br />
Discovering vulnerabilities can be advantageous to both sides<br />
of the <strong>security</strong> equation: legitimate researchers may learn<br />
how better to defend against attacks by analyzing the work of<br />
attackers who uncover vulnerabilities; conversely, cybercriminals<br />
can capitalize on the published work of legitimate researchers<br />
to advance their attack capabilities. The vast majority of<br />
vulnerabilities that are exploited by attack toolkits are publicly<br />
known by the time they are exploited.<br />
Methodology<br />
Information about vulnerabilities is made public through<br />
a number of sources. These include mailing lists, vendor<br />
advisories, and detection in the wild. Symantec gathers<br />
this information and analyzes various characteristics of<br />
the vulnerabilities, including technical information and<br />
ratings in order to determine the severity and impact of the<br />
vulnerabilities. This information is stored in the DeepSight<br />
vulnerability database, which houses over 52,795 distinct<br />
vulnerabilities spanning a period of over 20 years. As part of<br />
the data gathering process, Symantec scores the vulnerabilities<br />
according to version 2.0 of the community-based CVSS (Common<br />
Vulnerability Scoring System). 1 Symantec adopted version 2.0 of<br />
the scoring system in 2008. The total number of vulnerabilities<br />
is determined by counting all of the vulnerabilities published<br />
during the reporting period. All vulnerabilities are included,<br />
regardless of severity or whether or not the vendor who produced<br />
the vulnerable product confirmed them.