System administrators may be dealing with security vulnerabilities more quickly, but the bad guys are still leading the race.
That's because threats that exploit the flaws are also appearing sooner, according to research presented on Tuesday.
Although patching practices improved in the last year, nearly 70 percent of systems are currently vulnerable and at risk of attack, Gerhard Eschelbeck, chief technology officer and vice-president of engineering at vulnerability management vendor Qualys, said during a presentation at the Computer Security Institute conference in Washington.
In 2005, administrators have shaved two days off the "vulnerability half life," the time it takes to reduce the number of vulnerable systems that have direct Internet connections, Eschelbeck said.
Every 19 days, half of all the critical vulnerabilities are currently dealt with, either via a patch, a workaround or another security solution, according to Eschelbeck. That compares with 21 days a year ago and 30 days two years ago, he said.
But 19 days to fix half of all the vulnerable systems is not good enough. "Eighty percent of the exploits come out within the first half life of the vulnerability," Eschelbeck said. The "window of exposure" continues to shrink.
Administrators take their time to patch internal systems, which are behind a firewall or protected by other security technologies. Half of the vulnerable systems are now protected in 48 days, compared to 62 days last year, Eschelbeck said.
To better secure their systems, Eschelbeck recommends that organisations prioritise their patches. "Ninety percent of exposure is caused by 10 percent of the vulnerabilities," he said. To assist in the prioritisation task, Eschelbeck pitched the CVSS, which was introduced earlier this year.
"With the constant evolution and complexity of critical vulnerabilities, it is impossible for an organisation to fix every potential flaw. It is essential to prioritise and patch those vulnerabilities that are most damaging to their individual network," he said.
For his research, Eschelbeck analysed data from more than 32 million vulnerability scans. For 2003 and 2004, the data is for the full year, while the data for 2005 is for the first three quarters.
Talkback
Being able to patch quickly is not enough. One needs to be able to realisticly test patches quickly. And be able to roll back to the last known good situation (without loss of the last data changes or other disruption) in massive and quick ways as well.
Thing is that anything you do that you can't undo quickly without any other loss is a potential recipe for disaster.
Also, patching alone isn't by far enough to keep the bad guys out. But it helps for sure.
Being able to patch quickly is not enough. One needs to be able to realisticly test patches quickly. And be able to roll back to the last known good situation (without loss of the last data changes or other disruption) in massive and quick ways as well.
Thing is that anything you do that you can't undo quickly without any other loss is a potential recipe for disaster.
Also, patching alone isn't by far enough to keep the bad guys out. But it helps for sure.