Research shows ISM progress but reveals two out of three systems still vulnerable

Gerhard Eschelbeck, CTO and VP Engineering of Qualys, Inc., the provider of on demand vulnerability management and policy compliance solutions, has unveiled his 2005 findings on ‘Laws of Vulnerabilities’ research that shows new trends in network vulnerabilities. The research shows that while significant improvement was made during the last year in patching practices, still two out of three, or nearly 70 percent of systems, are currently vulnerable and in jeopardy of potential exploit or attack.

For more than three years, Eschelbeck has analysed statistical vulnerability data to create the Laws of Vulnerabilities, which identifies network security trends and allows organisations to recognise evolving threats and compare their remediation efforts with the rest of the industry. This year, the Laws of Vulnerabilities was drawn from a statistical analysis of nearly 21 million critical vulnerabilities, collected from 32 million live network scans, the largest real-world data set of network vulnerabilities to date.

The data shows that organisations have improved patching processes on internal systems by 23 percent and on external systems by 10 percent. However, the time-to-exploit cycle from automated attacks continues to shrink dramatically. Today, 85 percent of damage from automated attacks occurs within the first fifteen days from the outbreak.

The research also shows that the threat to wireless systems today is statistically very small. Only one in nearly 20,000 critical vulnerabilities is caused by a wireless device. However, there has been a significant shift from server-side to client-side vulnerabilities. More than 60 percent of new critical vulnerabilities occur in client applications. Client-side vulnerabilities require a user to take action, such as visiting a malicious website or opening an infected email attachment.

“2005 has been the year of improvements for patching and updating vulnerable systems,” said Mr Eschelbeck. “This is heavily driven by the fact that vendors are now are issuing regular advisories with patch updates, which ends up speeding the prioritisation and remediation efforts within organisations.”

More results include:

1. Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. In the last year, the half-life of critical vulnerabilities for external systems has been reduced from 21 days to 19 days; and from 62 days to 48 days for internal systems. Vulnerabilities released on a predefined schedule show an 18 percent increase in patch response.

2. Prevalence: 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis.

3. Persistence: Four percent of critical vulnerabilities remain persistent and their lifespan is unlimited.

4. Focus: 90 percent of vulnerability exposure is caused by 10 percent of critical vulnerabilities.

5. Window of Exposure: The time-to-exploit cycle is shrinking faster than the remediation cycle. 80 percent of exploits are available within the first half-life period of critical vulnerabilities.

6. Exploitation: Automated attacks create 85 percent of their damage within the first fifteen days from the outbreak and have an unlimited life time.

•Date: 29th Nov 2005 • Region: World • Type: Article •Topic: ISM
Rate this article or make a comment - click here