No end seen to patching race
System administrators are dealing with security vulnerabilities more quickly, but attacks are also appearing sooner.
That's because threats that exploit the flaws are also appearing sooner, according to research presented Tuesday.
Gerhard Eschelbeck,
CTO, Qualys
Although patching practices improved in the last year, nearly 70 percent of systems are currently vulnerable and at risk of attack, Gerhard Eschelbeck, chief technology officer and vice president of engineering at vulnerability management vendor Qualys, said during a presentation at the Computer Security Institute conference here.
In 2005, administrators have shaved two days off the "vulnerability half life," the time it takes to reduce the number of vulnerable systems that have direct Internet connections, Eschelbeck said.
Every 19 days, half of all the critical vulnerabilities are currently dealt with, either via a patch, a workaround or another security solution, according to Eschelbeck. That compares with 21 days a year ago and 30 days two years ago, he said.
But 19 days to fix half of all the vulnerable systems is not good enough. "Eighty percent of the exploits come out within the first half life of the vulnerability," Eschelbeck said. The "window of exposure" continues to shrink.
Administrators take their time to patch internal systems, which are behind a firewall or protected by other security technologies. Half of the vulnerable systems are now protected in 48 days, compared to 62 days last year, Eschelbeck said.
To better secure their systems, Eschelbeck recommends that organizations prioritize their patches. "Ninety percent of exposure is caused by 10 percent of the vulnerabilities," he said. To assist in the prioritization task, Eschelbeck pitched the Common Vulnerability Scoring System, or CVSS, which was introduced earlier this year.
"With the constant evolution and complexity of critical vulnerabilities, it is impossible for an organization to fix every potential flaw. It is essential to prioritize and patch those vulnerabilities that are most damaging to their individual network," he said.
For his research, Eschelbeck analyzed data from more than 32 million vulnerability scans. For 2003 and 2004, the data is for the full year, while the data for 2005 is for the first three quarters.