internet security tHreAt rePOrt GOVernMent 2013

Recommendations

Info

p. 138 Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 VULNERABILITy TRENDS Total Number of Vulnerabilities Background The total number of vulnerabilities for 2012 is based on research from independent security experts and vendors of affected products. The yearly total also includes zero-day vulnerabilities that attackers uncovered and were subsequently identified post-exploitation. Calculating the total number of vulnerabilities provides insight into vulnerability research being conducted in the threat landscape. There are many motivations for conducting vulnerability research, including security, academic, promotional, software quality assurance, and, of course, the malicious motivations that drive attackers. Symantec gathers information on all of these vulnerabilities as part of its DeepSight vulnerability database and alerting services. Examining these trends also provides further insight into other topics discussed in this report. Discovering vulnerabilities can be advantageous to both sides of the security equation: legitimate researchers may learn how better to defend against attacks by analyzing the work of attackers who uncover vulnerabilities; conversely, cybercriminals can capitalize on the published work of legitimate researchers to advance their attack capabilities. The vast majority of vulnerabilities that are exploited by attack toolkits are publicly known by the time they are exploited. Methodology Information about vulnerabilities is made public through a number of sources. These include mailing lists, vendor advisories, and detection in the wild. Symantec gathers this information and analyzes various characteristics of the vulnerabilities, including technical information and ratings in order to determine the severity and impact of the vulnerabilities. This information is stored in the DeepSight vulnerability database, which houses over 52,795 distinct vulnerabilities spanning a period of over 20 years. As part of the data gathering process, Symantec scores the vulnerabilities according to version 2.0 of the community-based CVSS (Common Vulnerability Scoring System). 1 Symantec adopted version 2.0 of the scoring system in 2008. The total number of vulnerabilities is determined by counting all of the vulnerabilities published during the reporting period. All vulnerabilities are included, regardless of severity or whether or not the vendor who produced the vulnerable product confirmed them.
p. 139 Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 VULNERABILITy TRENDS Data Figure D.1. Total Vulnerabilities Identified, 2006–2012 Source: Symantec 6,000 5,000 4,000 3,000 2,000 1,000 Figure D.2. New Vulnerabilities Month by Month, 2011 and 2012 Source: Symantec 600 500 400 300 200 100 JAN 4,842 2006 FEB 4,644 2007 MAR APR 5,562 2008 MAY JUN 4,814 2009 JUL 6,253 AUG 2010 SEP 4,814 2011 OCT NOV 5,291 2012 DEC 2011 2012
Page 1 and 2:
internet security tHreAt rePOrt GOV
Page 3 and 4:
p. 3 Symantec Corporation Internet
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
internet security tHreAt rePOrt APP
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88: p. 87 Symantec Corporation Internet
Page 101 and 102: p. 101 Symantec Corporation Interne
Page 137: p. 137 Symantec Corporation Interne
show all

internet security tHreAt rePOrt GOVernMent 2013

Create successful ePaper yourself

Delete template?

Save as template?