• United States



by Paul Kerstein

Survey: Most Companies Still Vulnerable to Attacks

Nov 16, 20052 mins
CSO and CISOData and Information Security

Though companies are making significant progress in their overallpatching practices, nearly seven out of 10 business systems currentlyremain vulnerable to exploits and attacks, according to research fromQualys Inc.

At the same time, almost half of the most prevalent and criticalvulnerabilities are replaced by new vulnerabilities annually, accordingto the research, which was released Tuesday during a keynote address atthe Computer Security Institute conference.

Qualys, a Redwood Shores, Calif.-based provider of managed securityservices, has been conducting a study of the vulnerability and patchmanagement strategies of its clients — including its Fortune 500customers — since 2002. Each year, the company releases a synopsis ofits findings that highlight key trends in both areas.

This year’s findings are based on a study of more than 32 millionvulnerability assessment scans within its customer base, said GerhardEschelbeck, chief technology officer at Qualys.

The research shows that on average, companies take about 19 days to fix50 percent of their Internet-facing systems that might be exposed to acritical vulnerability. In contrast, last year the companies Qualysstudied needed 21 days to protect half of their Internet-facing systemsand 30 days to do so in 2003.

Patching behaviors are getting pretty good, Eschelbeck said, notingthat many software vendors now have scheduled patch releases ratherthan offering them on an ad hoc basis. When you have pre-defined patchreleases, people tend to apply patches faster than they would withirregular [schedules].

Even so, companies appear to be having less success when it comes topatching internal systems. On average, they take 48 days to patch 50percent of the internal systems that could be exposed to a criticalvulnerability. That number, while lower than the 62 days thosebusinesses once needed, is not fast enough to mitigate the risks posedby today’s fast-moving worms and viruses, Eschelbeck said.

In fact, almost 80 percent of exploits and attacks targeting newsoftware vulnerabilities surface in the time it takes companies topatch their systems, with most of the damage being done within thefirst 15 days of an exploit release, he said.

The research also showed that 90 percent of the vulnerability exposurethat companies face comes from just 10 percent of criticalvulnerabilities at any given time. By making it a priority to find andfix just those vulnerabilities first, businesses can greatly reducetheir overall exposure, Eschelbeck said.

By Jaikumar Vijayan – Computerworld (US online)