Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, November 14, 2005

Enterprises Patch 10 Percent Faster, But Not Fast Enough

Even though two out of every three machines are vulnerable to one or more critical vulnerabilities, enterprises are managing to patch faster than ever, a researcher said on the eve of his keynote speech at a security conference. 
The “half-life” of vulnerabilities—the amount of time it takes companies to patch half of their systems against a newly-disclosed bug—continues to drop, said Gerhard Eschelbeck, the chief technology officer of Qualys and the creator of his self-titled “Laws of Vulnerabilities.”  Eschelbeck based his research on statistical analysis of 21 million critical vulnerabilities, and 32 million network scans conducted over a three-year period. 
Companies have made dramatic progress in patching internal computers, too; the half-life of these computers was cut by 23 percent in the last year, said Eschelbeck, down from 62 in 2004.

“We’ve made significant progress in reducing the window of exposure,” said Eschelbeck, noting that the half-life for a critical vulnerability on an externally-facing computer is now 19 days, down from 2004’s 21.  In large part, that’s due to the perception, rightly deserved, that the risk on external machines is higher.” 

“Automated attacks [now] create 85 percent of their damage within the first 15 days from the outbreak,” said Eschelbeck.  Last year, he reported that 80 percent of the damage was done in the first 42 days.

According to Eschelbeck’s data, patches released on a predefined schedule—monthly or quarterly—are deployed 18 percent faster than those for vulnerabilities whose fixes are released ad hoc.

“It seems a predictive schedule makes it easier to organize and plan and put together resources for patching, rather than scramble when a patch suddenly appears.”  That finding should sit well with Microsoft, one of the first major developers to go to a regular release schedule.

Among his other conclusions, Eschelbeck downplayed concern over wireless security, saying that the problem is really overrated.  “People think that wireless is such a big exposure point for networks, and that’s it’s a real problem, but only 1 in 18,220 critical vulnerabilities is caused by a wireless access point.”  “By reducing it another 20 percent, we can make networks even more secure.”

In addition, with an increasing number of critical vulnerabilities, enterprises need to look harder at prioritizing their patching.  The Common Vulnerability Scoring System (CVSS), which was designed by several technology companies, including Cisco, eBay, Internet Security Systems, and Qualys, is the primary initiative.  “Scoring and prioritization are going to be more important in 2006.

Posted on 11/14