Though companies are making significant progress in their overall patching practices, nearly seven out of 10 business systems currently remain vulnerable to exploits and attacks, according to research from Qualys Inc.
At the same time, almost half of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities annually, according to the research, which was released today during a keynote address at the Computer Security Institute conference in Washington. D.C.
Qualys, a Redwood Shores, Calif.-based provider of managed security services, has been conducting a study of the vulnerability and patch management strategies of its clients — including its Fortune 500 customers — since 2002. Each year, the company releases a synopsis of its findings that highlight key trends in both areas.
This year’s findings are based on a study of more than 32 million vulnerability assessment scans within its customer base, said Gerhard Eschelbeck, chief technology officer at Qualys.
The research shows that on average, companies take about 19 days to fix 50 percent of their Internet-facing systems that might be exposed to a critical vulnerability. In contrast, last year the companies Qualys studied needed 21 days to protect half of their Internet-facing systems and 30 days to do so in 2003.
“Patching behaviors are getting pretty good,” Eschelbeck said, noting that many software vendors now have scheduled patch releases rather than offering them on an ad hoc basis. “When you have pre-defined patch releases, people tend to apply patches faster than they would with irregular [schedules].”
Even so, companies appear to be having less success when it comes to patching internal systems. On average, they take 48 days to patch 50 percent of the internal systems that could be exposed to a critical vulnerability. That number, while lower than the 62 days those businesses once needed, is not fast enough to mitigate the risks posed by today’s fast-moving worms and viruses, Eschelbeck said.
In fact, almost 80 percent of exploits and attacks targeting new software vulnerabilities surface in the time it takes companies to patch their systems, with most of the damage being done within the first 15 days of an exploit release, he said.
The research also showed that 90 percent of the vulnerability exposure that companies face comes from just 10 percent of critical vulnerabilities at any given time. By making it a priority to find and fix just those vulnerabilities first, businesses can greatly reduce their overall exposure, Eschelbeck said.
By Jaikumar Vijayan, Computerworld