Mr. John (name changed) is the senior security manager of one of the large organization in the world. Mr. John enforces best of the security policy to protect his organization from latest threats and risks. He has deployed best of the anti-virus on all the desktops and servers. He keeps all the anti-virus signature updated all the time. He has deployed firewalls at the perimeter of his organization’s network. He has deployed IDS/IPS to detect any malicious activity in the network proactively. He enforces regular backup and has incidence response team to act upon any unforeseen event. Mr. John trusts Anti-virus, firewalls and IDS/IPS to implement best of the network security in his organization.
Very recently, during our penetration testing assignment with Mr. John’s organization, Mr John and his senior management team asked us, “How secure are my anti-virus and firewalls?”. They also wanted to know vulnerability trends in the security products.
We did some survey on the internet to find something closely related to vulnerability trends in security products. As part of our survey, we came across some interesting articles like Security Vulnerability found in almost all antivirus and security products, IBM: 2010 Mid-Year Trend and Risk Report, Secunia: Half Year Report for 2010 shows interesting trends and many more but nothing was close to what we were looking for. Finally we decided pull out data from NVD vulnerability database and run some SQL queries to create some interesting statistics. We decided to publish the statistics as whitepaper to benefit whole security community. You can download the latest copy from here.
History of Vulnerability finding in Security Products
Following figure shows vulnerability finding in the security products for last 10 years (since big bang, year 2000 was the year when first of the vulnerabilities were reported in the security products). As shown, security products are not immune from vulnerabilities and security flaws. In fact, your anti-virus and firewalls are often deployed at perimeter and gateways and as a result they are the most lucrative targets for the attacker to compromise your network and personal desktop. Interestingly, year of 2005 saw a great increase in vulnerability findings in the security products.
Vulnerability findings in major Security Product Types
We classified the security products into major classes of Anti–virus (personal, enterprise, mail, gateway etc), Firewalls (Network, Web Applications etc), IDS/IPS, VPN and others (others include products like security management softwares, NAC devices and other miscellaneous security softwares). Following figure shows that all the classes / types of security products are affected by security flaws. Anti-virus tops the list with 625 vulnerabilities reported upto end of 2010 year, followed up by firewalls.
When we dig deeper, we found out that Cisco (with overall 838 vulnerability findings) tops the list of security vendors affected by vulnerability findings in their products, followed up by Symantec with overall 258 vulnerability findings. Some of the major security products that tops the list are ClaimAV Anti-virus, Norton Antivirus, Checkpoint Firewall-1, Cisco Pix Firewall.
Security products like anti-virus, firewalls, IDS/IPS and VPN have become of paramount importance to provide highest degree of confidentiality, availability and Integrity (CIA) to individuals and organizations. However, it is foolish to assume that security products are free from any vulnerability (security flaws). Security Products can also be of target of attacks from the attackers.
Please download the full report of Vulnerability Trends in Security Products upto Year 2010 and post your views/feedback in the comment. If relevant, we will update the report with due credits to you.
- KHOBE – 8.0 earthquake for Windows desktop security software.
- Security vendors respond to Matousec research.
- IBM: 2010 Mid-Year Trend and Risk Report.
- Secunia: Half Year Report for 2010 shows interesting trends.
- SANS: The Top Cyber Security Risks.
- Common Vulnerability Enumeration (CVE)
- Common Product Enumeration (CPE)
- National Vulnerability Database (NVD)