Patching Still Trips Up IT
This year's ''Laws of Vulnerabilities'' study shows that administrators are getting better at patching, but it's still not good enough.
In his third annual ''Laws of Vulnerabilities'' study, Gerhard Eschelbeck, CTO and vice president of engineering at security company Qualys, Inc., shows that IT administrators are getting their systems -- particularly their external systems -- patched at a greater speed than even a year ago. Hackers, however, are picking up their own pace, making it a brutal race to secure the enterprise.
''This has clearly been the year of progress,'' Eschelbeck told eSecurityPlanet in a one-on-one interview. ''People have been able to patch their systems that much faster. It's a matter of prioritizing. Clearly, patching is more important to them now. Worms and the damage they've brought has increased the immediacy of the issue.''
Eschelbeck's study shows that on external systems the vulnerability half-life went from 21 days in 2004 to 19 days in the later part of this year. In 2003, it was 30 days. And on internal systems, the vulnerability half-life went from 62 days in 2004 to 48 days this year.
Eschelbeck says there's significant improvement for both internal and external systems but administrators need to focus more on improving their patch management for internal systems, even though they're not directly connected to the Internet.
''People perceive external systems as a higher risk,'' he explains. ''They think they have to take action immediately because these systems are exposed to the Internet, where as their other systems are protected by a firewall. And with internal systems, patching is slower because of the sheer amount of work to be done. If you compare a typical organization, you may have five servers on the Internet that require patching, while on the internal network you may have 5,000 desktops, along with databases and other systems. There's simply a lot more work to patch internal systems than external.''
Eschelbeck also notes that his study shows that in the past year there has been a major shift in attacks on the network.
Before this year, 80 percent to 90 percent of attacks were aimed at the server side. Now, 60 percent of attacks are hitting client applications -- browsers, media players, flash players. ''The reason for the shift is a lot of the low-hanging fruit on the server side has been found and published. There still is a lot of low-hanging fruit out there on the client side... It doesn't mean there are no vulnerabilities left [on the server side] but the low-hanging fruit is gone.''
Eschelbeck says there are two things he foresees for 2006: