Version: 2008
  • On MovieTome: The 10 worst movies of 2009 so far!
advertisementGet Smart about Business Spending

November 15, 2005 8:34 AM PST

No end seen to patching race

By Joris Evers
Staff Writer, CNET News

  • 1 comment
Related Stories

Plan lets users be the judge of flaws

 September 16, 2005

Patching up problems

 January 28, 2005
WASHINGTON--System administrators may be dealing with security vulnerabilities more quickly, but the bad guys are still leading the race.

That's because threats that exploit the flaws are also appearing sooner, according to research presented Tuesday.

Gerhard Eschelbeck
Gerhard Eschelbeck,
CTO, Qualys

Although patching practices improved in the last year, nearly 70 percent of systems are currently vulnerable and at risk of attack, Gerhard Eschelbeck, chief technology officer and vice president of engineering at vulnerability management vendor Qualys, said during a presentation at the Computer Security Institute conference here.

In 2005, administrators have shaved two days off the "vulnerability half life," the time it takes to reduce the number of vulnerable systems that have direct Internet connections, Eschelbeck said.

Every 19 days, half of all the critical vulnerabilities are currently dealt with, either via a patch, a workaround or another security solution, according to Eschelbeck. That compares with 21 days a year ago and 30 days two years ago, he said.

But 19 days to fix half of all the vulnerable systems is not good enough. "Eighty percent of the exploits come out within the first half life of the vulnerability," Eschelbeck said. The "window of exposure" continues to shrink.

Administrators take their time to patch internal systems, which are behind a firewall or protected by other security technologies. Half of the vulnerable systems are now protected in 48 days, compared to 62 days last year, Eschelbeck said.

To better secure their systems, Eschelbeck recommends that organizations prioritize their patches. "Ninety percent of exposure is caused by 10 percent of the vulnerabilities," he said. To assist in the prioritization task, Eschelbeck pitched the Common Vulnerability Scoring System, or CVSS, which was introduced earlier this year.

"With the constant evolution and complexity of critical vulnerabilities, it is impossible for an organization to fix every potential flaw. It is essential to prioritize and patch those vulnerabilities that are most damaging to their individual network," he said.

For his research, Eschelbeck analyzed data from more than 32 million vulnerability scans. For 2003 and 2004, the data is for the full year, while the data for 2005 is for the first three quarters.

See more CNET content tagged:
Qualys Inc., vulnerability, system administrator, security

Add a Comment (Log in or register)
Job security
by SqlserverCode November 15, 2005 9:52 AM PST
Let's call this job security. How can a company get rid of an admin if they are patching 50% off their time? For all you know the admins are the same people writing the worms, viruses etc

http://otherthingsnow.blogspot.com
Reply to this comment
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Dow Jones Industrials (1.33%) 136.49 10,406.96
S&P 500 (1.45%) 15.82 1,109.30
NASDAQ (1.38%) 29.97 2,197.85
CNET TECH (0.88%) 14.01 1,601.19
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET