“We’ve made significant progress in reducing the window of exposure,” said Eschelbeck, noting that the half-life for a critical vulnerability on an externally-facing computer is now 19 days, down from 2004’s 21. In large part, that’s due to the perception, rightly deserved, that the risk on external machines is higher.”
“Automated attacks [now] create 85 percent of their damage within the first 15 days from the outbreak,” said Eschelbeck. Last year, he reported that 80 percent of the damage was done in the first 42 days.
According to Eschelbeck’s data, patches released on a predefined schedule — monthly or quarterly — are deployed 18 percent faster than those for vulnerabilities whose fixes are released ad hoc.
“It seems a predictive schedule makes it easier to organize and plan and put together resources for patching, rather than scramble when a patch suddenly appears.” That finding should sit well with Microsoft, one of the first major developers to go to a regular release schedule.
Among his other conclusions, Eschelbeck downplayed concern over wireless security, saying that the problem is really overrated. “People think that wireless is such a big exposure point for networks, and that’s it’s a real problem, but only 1 in 18,220 critical vulnerabilities is caused by a wireless access point.” “By reducing it another 20 percent, we can make networks even more secure.”
In addition, with an increasing number of critical vulnerabilities, enterprises need to look harder at prioritizing their patching. The Common Vulnerability Scoring System (CVSS), which was designed by several technology companies, including Cisco, eBay, Internet Security Systems, and Qualys, is the primary initiative. “Scoring and prioritization are going to be more important in 2006.
http://www.securitypipeline.com/news/173602790