While IT administrators have stepped up their attention to patches, nearly 70 percent of systems still are vulnerable to attack, according to a new study.

In his third annual ''Laws of Vulnerabilities'' study, Gerhard Eschelbeck, CTO and vice president of engineering at security company Qualys, Inc., shows that IT administrators are getting their systems -- particularly their external systems -- patched at a greater speed than even a year ago. Hackers, however, are picking up their own pace, making it a brutal race to secure the enterprise.

''This has clearly been the year of progress,'' Eschelbeck told eSecurityPlanet in a one-on-one interview. ''People have been able to patch their systems that much faster. It's a matter of prioritizing. Clearly, patching is more important to them now. Worms and the damage they've brought has increased the immediacy of the issue.''

Eschelbeck's study shows that on external systems the vulnerability half-life went from 21 days in 2004 to 19 days in the later part of this year. In 2003, it was 30 days. And on internal systems, the vulnerability half-life went from 62 days in 2004 to 48 days this year.

The vulnerability half-life is considered to be the time between when the vendor releases a patch and the point when 50 percent of systems have installed it.

Eschelbeck says there's significant improvement for both internal and external systems but administrators need to focus more on improving their patch management for internal systems, even though they're not directly connected to the Internet.

''People perceive external systems as a higher risk,'' he explains. ''They think they have to take action immediately because these systems are exposed to the Internet, where as their other systems are protected by a firewall. And with internal systems, patching is slower because of the sheer amount of work to be done. If you compare a typical organization, you may have five servers on the Internet that require patching, while on the internal network you may have 5,000 desktops, along with databases and other systems. There's simply a lot more work to patch internal systems than external.''

Eschelbeck also notes that his study shows that in the past year there has been a major shift in attacks on the network.

Before this year, 80 percent to 90 percent of attacks were aimed at the server side. Now, 60 percent of attacks are hitting client applications -- browsers, media players, flash players. ''The reason for the shift is a lot of the low-hanging fruit on the server side has been found and published. There still is a lot of low-hanging fruit out there on the client side... It doesn't mean there are no vulnerabilities left [on the server side] but the low-hanging fruit is gone.''

Looking Ahead

Eschelbeck says there are two things he foresees for 2006:

  • Administrators will continue shrinking the vulnerability half-life, taking it down another 20 percent on internal and external systems. ''The most effective way of accomplishing that is by prioritization,'' he says. ''There is no way to effectively patch each and every vulnerability, so we must focus on the top 10 percent. Some companies are Windows shops, but others may be a Unix shop or run a big Oracle database. You will all have different priorities. That's where vulnerability management helps you to prioritize. You need to base your decisions on the individual technologies you are using.''
  • Eschelbeck also thinks the time when a worker just plugs her laptop into the corporate network and goes to work is just about over. ''Today, I'm immediately connected [when I plug my laptop in] but in the future, every device will be validated first... Is this a machine that is properly patched, free from backdoors, has updated anti-virus? If not, the machine will be put into a patching network where it will be updated and patched and cleaned. Only then will it be allowed onto the corporate network.''