Computing Project II

Project Report
(January April 2015)

Common Vulnerabilities and Exposures

Submitted by

Rishi Ramawat
11201887
CSE308
Section: K1208
Under the Guidance of
Ms Maneet Kaur

Department of Computer Science and Engineering,

Lovely Professional University, Punjab, INDIA

DECLARATION

I, Rishi Ramawat, student of Computing Practicum-II under CSE/IT Discipline at

Lovely Professional University, Punjab, hereby declare that all the information furnished in
this computing project report is based on my own intensive work and is genuine.
I declare that this Project is my individual work. I have not copied it from any other
students work or from any other source except where due acknowledgement is made
explicitly in the text, nor has any part been done for me by any other person.

Date:
Registration No. 11201887

Signature:
RISHI RAMAWAT

Acknowledgement

This project consumed huge amount of work, research and dedication. Still, implementation
would not have been possible if I did not have a support of many individuals and organizations.
Therefore I would like to extend my sincere gratitude to all of them. First of all I am thankful
to Lovely Professional University for their logistical support and for providing necessary guidance
concerning projects implementation.
I am highly indebted to my Supervisor and Mentor on this Project Ms Maneet Kaur for
provision of expertise, and guidance in the implementation. Without her superior knowledge and
experience, the Project would lack in quality of outcomes, and thus her support has been essential.
Nevertheless, I express my gratitude towards my family and colleagues for their kind cooperation and encouragement which help me in completion of this project.

Index

CONTENTS

Page No.

1. Introduction . 1
2. Scope of the Project .... 2
3. About CVEs ... 3
4. Data Collection ... 5
5. Pre-Processing of dataset 6
6. Analysis Performed . 7
7. References . 17

INTRODUCTION

This Project is based on Information Security. The aim of this Project is to analyse the data
collected on the Common Vulnerabilities and Exposures (CVE).
Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly
known information security vulnerabilities and exposures in publicly released software packages.
MITRE Corporation maintains the system, with funding from the National Cyber Security Division
of the United States Department of Homeland Security.
CVE is used by the Security Content Automation Protocol, and CVE IDs are listed on MITRE's
system as well as the US National Vulnerability Database.

Scope of the Project

This project would help in analysing the Security Vulnerabilities released since 1999 till date.
It would answer many questions like which kind of vulnerability has been the most dangerous
and which kind of vulnerability has been the most common in the publicly released software
packages.
It would also help us in finding and analysing the total number of vulnerabilities found yet in
the software products used frequently by people in daily life.

About CVEs
Below are the CVE Initiatives definitions of the terms "Vulnerability" and "Exposure":
Vulnerability
An information security "vulnerability" is a mistake in software that can be directly used by a hacker
to gain access to a system or network.
CVE considers a mistake a vulnerability if it allows an attacker to use it to violate a reasonable
security policy for that system (this excludes entirely "open" security policies in which all users are
trusted, or where there is no consideration of risk to the system).
For CVE, a vulnerability is a state in a computing system (or set of systems) that either:

allows an attacker to execute commands as another user

allows an attacker to access data that is contrary to the specified access restrictions for that
data

allows an attacker to pose as another entity

allows an attacker to conduct a denial of service

Examples of vulnerabilities include:

phf (remote command execution as user "nobody")

rpc.ttdbserverd (remote command execution as root)

world-writeable password file (modification of system-critical data)

default password (remote command execution or other access)

denial of service problems that allow an attacker to cause a Blue Screen of Death

smurf (denial of service by flooding a network)

Review vulnerabilities on the Common Vulnerabilities and Exposures (CVE) List.

Exposure
An information security "exposure" is a system configuration issue or a mistake in software that
allows access to information or capabilities that can be used by a hacker as a stepping-stone into a
system or network.

CVE considers a configuration issue or a mistake an exposure if it does not directly allow compromise
but could be an important component of a successful attack, and is a violation of a reasonable security
policy.
An "exposure" describes a state in a computing system (or set of systems) that is not a vulnerability,
but either:

allows an attacker to conduct information gathering activities

allows an attacker to hide activities

includes a capability that behaves as expected, but can be easily compromised

is a primary point of entry that an attacker may attempt to use to gain access to the system or
data

is considered a problem according to some reasonable security policy

Examples of exposures include:

running services such as finger (useful for information gathering, though it works as
advertised)

inappropriate settings for Windows NT auditing policies (where "inappropriate" is enterprisespecific)

running services that are common attack points (e.g., HTTP, FTP, or SMTP)

use of applications or services that can be successfully attacked by brute force methods (e.g.,
use of trivially broken encryption, or a small key space)

CVE is a dictionary of publicly known information security vulnerabilities and exposures.

CVEs common identifiers enable data exchange between security products and provide a baseline
index point for evaluating coverage of tools and services.
Widespread Use of CVE

CVE Numbering Authorities (CNAs)

NVD (National Vulnerability Database)
Vulnerability Scoring (CVSS)
CVE-Compatible Products & Services
Security Content Automation
US-CERT Bulletins

Vulnerability Management
Patch Management
Vulnerability Alerting
Intrusion Detection

Data Collection

The data can be collected by two ways they are through the primary and secondary way. The primary
way involves manual collection of the data from the processes like surveys, etc. whereas the
secondary process involves the collection of the data from the sources like internet, organization and
clubs etc. I have collected data from the internet through a website that provides the complete security
vulnerability data source.
The Dataset has 68,480 rows and 14 Columns.

Snapshot 1: Collected Data

Pre-Processing of Dataset
The data collected did not require any Major Transformations as it was analysis ready.
A few Transformations which were performed are as follows:
1. The dates present in the database were in the following format which were less easier for the
eyes to read

These dates were transformed into following custom format:

2. The Column CWE-ID was deleted as it did not contain any useful Information for Analysis
3. The top Row i.e. the Label Pane was froze so as to allow the users Easier Readability of such
a large dataset.

Analysis Performed
1. Total Number of Vulnerabilities Categorised by Type of Vulnerability
a. Functions Used:
i. COUNTIF()
b. Excel features used: The Excel Charts feature has been used to draw a column chart
c. Snapshots:

Figure: The Dataset generated from the Database

Figure: The Column Chart based on the generated dataset

Figure: Pie Chart displaying the % share in total of each Vulnerability

d. Conclusion: The Analysis clearly shows that the Execute Code and Denial of Service
(DoS) were the two most common vulnerabilities amongst all.

2. Number of Vulnerabilities found each Year

a. Function Used:
i. COUNTIFS()
b. Excel features used: The Excel Charts feature has been used to draw a column chart
c. Snapshots:

Figure: Column Chart displaying the No. of Security Vulnerabilities found each year

Figure: The Dataset showing the No. of Security vulnerabilities found in each year
d. Conclusion: The analysis shows that the highest No. of Security Vulnerabilities were
recorded in the year 2014.

3. CVSS Score Distribution Report

a. Functions Used:
i. COUNTIFS()
ii. SUM()
iii. SUMPRODUCT()
b. Excel features used:
i. The Excel Charts feature has been used to draw a column chart
ii. AutoSum feature was used to calculate sum
c. Snapshots:

Figure: Generated Table for calculation Weighted Average CVSS Score

Figure: Histogram displaying the No. of Vulnerabilities in each range

d. Conclusion: The analysis shows that the Weighted Average CVSS Score is 6.33(Approx.)

4. Vulnerabilities by Type and Year

a. Functions Used:
i. IF()
ii. COUNTIFS()
b. Excel features used:
i. The Excel Charts feature has been used to draw a column chart
ii. Check Boxes were used to draw the charts of selected data
c. Snapshots:

Figure: The Generated Table

Figure: The Dashboard displaying yearly recordings of XSS, Execute Code and Total
Vulnerabilities
d. Conclusion: An user-friendly and interactive dashboard has been developed displaying
year-wise distribution of each vulnerability

5. Top 50 Products CVSS Scores Distribution

a. Functions Used:
i. COUNTIF()
ii. COUNTIFS()
iii. SUMIFS()
iv. CONCATENATE()
b. Excel features used: The Excel Charts feature has been used to draw a column chart
c. Snapshots:

Figure: The Data Table showing the CVSS Score distribution of Top 50 Products

Figure: The Table Generated using the previous data showing the Total No. Of Vulnerabilities
in Softwares developed by these Vendors

Figure: Column chart displaying the Total No. Of Vulnerabilities in Softwares developed by
these Vendors

d. Conclusion: The Analysis shows that the Softwares Releases by Microsoft Corporation and
Apple Inc. have the highest Number of vulnerabilities

6. Top 50 Vendors CVSS Scores Distribution

a. Functions Used:
i. COUNTIF()
ii. COUNTIFS()
iii. CONCATENATE()
b. Snapshots:

Figure: The Data Table showing the CVSS Score distribution of Top 50 Vendors

7. Simple Search in the Dataset

a. Function Used:
i. VLOOKUP()
b. Snapshot:

Figure: The Details of Corresponding CVE-ID being displayed by searching in the DataSet

REFERENCES
http://www.cvedetails.com/
https://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
www.excel-easy.com/functions.html
http://www.excelfunctions.net/