 
|
|
In partnership with:
18 November 2005 Internal system vulnerabilities poorly patchedBrian McKennaGerhard Eschelbeck, CTO of Qualys and leading vulnerabilities researcher, said that internal systems are still not being patched fast enough compared with external ones. “There is a bigger perceived risk with external vulnerabilities”, Eschelbeck told delegates at CSI 2005 in Washington earlier this week, “but the reality is otherwise”. Eschelbeck was presenting the third iteration of his annual ‘Laws of vulnerabilities’ research, based on scanning the internet, and other systems covered by Qualys. Among other things this research traces the changing half life of a vulnerability – how long it takes for a flaw to be fixed on 50% of systems. The half life for external vulnerabilities was 21 days in 2004 and 19 days in 2005; the half life for internal one was 62 days in 2004 and is now 48 — a bigger scale of improvement but still worryingly long, said Eschelbeck. This year, the ‘Laws of Vulnerabilities’ was drawn from a statistical analysis of nearly 21 million critical vulnerabilities, collected from 32 million live network scans. The researcher hailed the success of the predefined patch release process pioneered by Microsoft. This year’s Zotob attacked the “fastest patched vulnerability in history’, and was “no big deal” compared with earlier miscreants, like the Blaster worm. The first fifteen days of an outbreak are the most critical, he said: 85% of the damage is done then. And 90% of damage is done by 10% of vulnerabilities. "So, focus on the top 10%”, said Eschelbeck. Vulnerabilities seem to be with us always. Fifty per cent of the high profiles ones are replaced each year by a similar cohort. And 4% of vulnerabilities threaten to be infinite. Eschelbeck predicted that a big trend in 2006 will be the migration
of security enforcement to the network. “All the vendors are
on this trail: Cisco, Juniper, Microsoft, Symantec”, he said.
“We will see real pilots in this area next year”.
|
|
