While IT administrators have stepped up their attention to patches,nearly 70 percent of systems still are vulnerable to attack, according toa new study.
In his third annual ”Laws of Vulnerabilities” study, GerhardEschelbeck, CTO and vice president of engineering at security companyQualys, Inc., shows that IT administrators are getting their systems –particularly their external systems — patched at a greater speed thaneven a year ago. Hackers, however, are picking up their own pace, makingit a brutal race to secure the enterprise.
”This has clearly been the year of progress,” Eschelbeck toldeSecurityPlanet in a one-on-one interview. ”People have been ableto patch their systems that much faster. It’s a matter of prioritizing.Clearly, patching is more important to them now. Worms and the damagethey’ve brought has increased the immediacy of the issue.”
Eschelbeck’s study shows that on external systems the vulnerabilityhalf-life went from 21 days in 2004 to 19 days in the later part of thisyear. In 2003, it was 30 days. And on internal systems, the vulnerabilityhalf-life went from 62 days in 2004 to 48 days this year.
The vulnerability half-life is considered to be the time between when thevendor releases a patch and the point when 50 percent of systems haveinstalled it.
Eschelbeck says there’s significant improvement for both internal andexternal systems but administrators need to focus more on improving theirpatch management for internal systems, even though they’re not directlyconnected to the Internet.
”People perceive external systems as a higher risk,” he explains.”They think they have to take action immediately because these systemsare exposed to the Internet, where as their other systems are protectedby a firewall. And with internal systems, patching is slower because ofthe sheer amount of work to be done. If you compare a typicalorganization, you may have five servers on the Internet that requirepatching, while on the internal network you may have 5,000 desktops,along with databases and other systems. There’s simply a lot more work topatch internal systems than external.”
Eschelbeck also notes that his study shows that in the past year therehas been a major shift in attacks on the network.
Before this year, 80 percent to 90 percent of attacks were aimed at theserver side. Now, 60 percent of attacks are hitting client applications– browsers, media players, flash players. ”The reason for the shift isa lot of the low-hanging fruit on the server side has been found andpublished. There still is a lot of low-hanging fruit out there on theclient side… It doesn’t mean there are no vulnerabilities left [on theserver side] but the low-hanging fruit is gone.”
Looking Ahead
Eschelbeck says there are two things he foresees for 2006: