Patching Still Trips Up IT

While IT administrators have stepped up their attention to patches,nearly 70 percent of systems still are vulnerable to attack, according toa new study.

In his third annual ”Laws of Vulnerabilities” study, GerhardEschelbeck, CTO and vice president of engineering at security companyQualys, Inc., shows that IT administrators are getting their systems –particularly their external systems — patched at a greater speed thaneven a year ago. Hackers, however, are picking up their own pace, makingit a brutal race to secure the enterprise.

”This has clearly been the year of progress,” Eschelbeck toldeSecurityPlanet in a one-on-one interview. ”People have been ableto patch their systems that much faster. It’s a matter of prioritizing.Clearly, patching is more important to them now. Worms and the damagethey’ve brought has increased the immediacy of the issue.”

Eschelbeck’s study shows that on external systems the vulnerabilityhalf-life went from 21 days in 2004 to 19 days in the later part of thisyear. In 2003, it was 30 days. And on internal systems, the vulnerabilityhalf-life went from 62 days in 2004 to 48 days this year.

The vulnerability half-life is considered to be the time between when thevendor releases a patch and the point when 50 percent of systems haveinstalled it.

Eschelbeck says there’s significant improvement for both internal andexternal systems but administrators need to focus more on improving theirpatch management for internal systems, even though they’re not directlyconnected to the Internet.

”People perceive external systems as a higher risk,” he explains.”They think they have to take action immediately because these systemsare exposed to the Internet, where as their other systems are protectedby a firewall. And with internal systems, patching is slower because ofthe sheer amount of work to be done. If you compare a typicalorganization, you may have five servers on the Internet that requirepatching, while on the internal network you may have 5,000 desktops,along with databases and other systems. There’s simply a lot more work topatch internal systems than external.”

Eschelbeck also notes that his study shows that in the past year therehas been a major shift in attacks on the network.

Before this year, 80 percent to 90 percent of attacks were aimed at theserver side. Now, 60 percent of attacks are hitting client applications– browsers, media players, flash players. ”The reason for the shift isa lot of the low-hanging fruit on the server side has been found andpublished. There still is a lot of low-hanging fruit out there on theclient side… It doesn’t mean there are no vulnerabilities left [on theserver side] but the low-hanging fruit is gone.”

Looking Ahead

Eschelbeck says there are two things he foresees for 2006:

  • Administrators will continue shrinking the vulnerability half-life,taking it down another 20 percent on internal and external systems. ”Themost effective way of accomplishing that is by prioritization,” he says.”There is no way to effectively patch each and every vulnerability, sowe must focus on the top 10 percent. Some companies are Windows shops,but others may be a Unix shop or run a big Oracle database. You will allhave different priorities. That’s where vulnerability management helpsyou to prioritize. You need to base your decisions on the individualtechnologies you are using.”
  • Eschelbeck also thinks the time when a worker just plugs her laptopinto the corporate network and goes to work is just about over. ”Today,I’m immediately connected [when I plug my laptop in] but in the future,every device will be validated first… Is this a machine that isproperly patched, free from backdoors, has updated anti-virus? If not,the machine will be put into a patching network where it will be updatedand patched and cleaned. Only then will it be allowed onto the corporatenetwork.”

  • Sharon Gaudin
    Sharon Gaudin
    Sharon Gaudin is an eSecurity Planet contributor.

    Top Products

    Related articles